Secure Two-party Threshold ECDSAfrom ECDSA Assumptions

Jack Doernerj@ckdoerner.net

Northeastern University

Yashvanth Kondiykondi@ccs.neu.edu

Northeastern University

Eysa Leeeysa@ccs.neu.eduNortheastern University

abhi shelatabhi@neu.edu

Northeastern University

Abstract—The Elliptic Curve Digital Signature Algorithm(ECDSA) is one of the most widely used schemes in deployedcryptography. Through its applications in code and binaryauthentication, web security, and cryptocurrency, it is likely oneof the few cryptographic algorithms encountered on a dailybasis by the average person. However, its design is such thatexecuting multi-party or threshold signatures in a secure manneris challenging: unlike other, less widespread signature schemes,secure multi-party ECDSA requires custom protocols, whichhas heretofore implied reliance upon additional cryptographicassumptions and primitives such as the Paillier cryptosystem.

We propose new protocols for multi-party ECDSA key-generation and signing with a threshold of two, which we provesecure against malicious adversaries in the Random Oracle Modelusing only the Computational Diffie-Hellman Assumption and theassumptions already relied upon by ECDSA itself. Our schemerequires only two messages, and via implementation we find thatit outperforms the best prior results in practice by a factor of 56for key generation and 11 for signing, coming to within a factorof 18 of local signatures. Concretely, two parties can jointly signa message in just over three milliseconds.

I. INTRODUCTION

Threshold Digital Signature Schemes, a classic notion inthe field of Cryptography [2], allow a group of individualsto delegate their joint authority to sign a message to anysubcommittee among themselves that is larger than a certainsize. Though extensively studied, threshold signing is seldomused in practice, in part because threshold techniques forstandard signatures tend to be highly inefficient, reliant uponunacceptable assumptions, or otherwise undesirable, whilebespoke threshold schemes are incompatible with familiar andwidely-accepted standards.

Consider the specific case of the Elliptic Curve DigitalSignature Algorithm (ECDSA), perhaps the most widespreadof signatures schemes: all existing threshold techniques forgenerating ECDSA signatures require the invocation of heavycryptographic primitives such as Paillier encryption [3]–[5].This leads both to poor performance and to reliance upon as-sumptions that are foreign to the mathematics on which ECDSAis based. This is troublesome, because performance concernsand avoidance of certain assumptions often motivate the use

This document revises and expands a paper that appeared in the 2018 IEEES&P Conference under the same title (doi:10.1109/SP.2018.00036, [1]). Thisversion differs in that the protocol has been modified and reorganized in orderto simplify our security analysis at the cost of a slight performance penalty,and the appendix now contains a complete proof of security.

of ECDSA in the first place. We address this shortcoming bydevising the first threshold signing algorithm for ECDSA that isbased solely upon Elliptic Curves and the assumptions that theECDSA signature scheme itself already makes. Furthermore,we improve upon the performance of previous works by afactor of eleven or more.

ECDSA is a standardized [6]–[8] derivative of the earlier Dig-ital Signature Algorithm (DSA), devised by David Kravitz [9].Where DSA is based upon arithmetic modulo a prime, ECDSAuses elliptic curve operations over finite fields. Compared toits predecessor, it has the advantage of being more efficientand requiring much shorter key lengths for the same level ofsecurity. In addition to the typical use cases of authenticatedmessaging, code and binary signing, remote login, &c., ECDSAhas been eagerly adopted where high efficiency is important.For example, it is used by TLS [10], DNSSec [11], and manycryptocurrencies, including Bitcoin [12] and Ethereum [13].

A t-of-n threshold signature scheme is a set of protocolswhich allow n parties to jointly generate a single public key,along with n private shares of a joint secret key, and thenprivately sign messages if and only if t (some predeterminednumber) of those parties participate in the signing operation.In addition to satisfying the standard properties of signatureschemes, it is necessary that threshold signature schemes besecure in a similar sense to other protocols for multi-partycomputation. That is, it is necessary that no malicious partycan subvert the protocols to extract another party’s share ofthe secret key, and that no subset of fewer than t parties cancollude to generate signatures.

The concept of threshold signatures originates with thework of Yvo Desmedt [2], who proposed that multi-party andthreshold cryptographic protocols could be designed to mirrorsocietal structures, and thus cryptography could take on a newrole, replacing organizational policy and social convention withmathematical assurance. Although this laid the motivationalgroundwork, it was the subsequent work of Desmedt andFrankel [14] that introduced the first true threshold encryptionand signature schemes. These are based upon a combination ofthe well-known ElGamal [15] and Shamir Secret-Sharing [16]primitives, and carry the disadvantage that they require a trustedparty to distribute private keys. Pedersen [17] later removedthe need for a trusted third party.

The earliest threshold signature schemes were formulated aswas convenient for achieving threshold properties; Desmedt and

1

Frankel [14] recognized the difficulties inherent in designingthreshold systems for standard signature schemes. Nevertheless,they later returned to the problem [18], proposing a non-interactive threshold system for RSA signatures [19]. Thiswas subsequently improved and proven secure in a series ofworks [20]–[23]. Threshold schemes were also developed forSchnorr [24], [25] and DSA [26]–[28] signatures. Many ofthese schemes were too inefficient to be practical, however.

The efficiency and widespread acceptance of ECDSA makeit a natural target for similar work, and indeed thresholdECDSA signatures are such a useful primitive that manycryptocurrencies are already implementing a similar conceptin an ad-hoc manner [29]. Unfortunately, the design of theECDSA algorithm poses a unique problem: the fact that ituses its nonce in a multiplicative fashion frustrates attemptsto use typical linear secret sharing systems as primitives. Therecent works of Gennaro et al. [4] and Lindell [3] solve thisproblem by using multiplicative sharing in combination withhomomorphic Paillier encryption [30]; the former focuses onthe general t-of-n threshold case, with an emphasis on thehonest-majority setting, while the latter focuses on the difficult2-of-2 case specifically. The resulting schemes (and the latterin particular) are very efficient in comparison to previousthreshold schemes for plain DSA signatures: Lindell reportsthat his scheme requires only 37ms (including communication)per signature over the standard P-256 [8] curve.

Unfortunately, both Lindell and Gennaro et al.’s schemesdepend upon the Paillier cryptosystem, and thus their securityrelies upon the Decisional Composite Residuosity Assumption.In some applications (cryptocurrencies, for example), the choiceof ECDSA is made carefully in consideration of the requiredassumptions, and thus the use of a threshold scheme thatrequires new assumptions may not be acceptable. Additionally,if it is to be proven secure via simulation, Lindell’s schemerequires a new (though reasonable) assumption about thePaillier cryptosystem to be made. Furthermore, the Pailliercryptosystem is so computationally expensive that even a singlePaillier operation represents a significant cost relative to typicalElliptic Curve operations. Thus in this work we ask whetheran efficient, secure, multi-party ECDSA signing scheme canbe constructed using only elliptic curve primitives and ellipticcurve assumptions, and find the answer in the affirmative.

A. Our Technique

Lindell observes that the problem of securely computing anECDSA signature among two parties under a public key pkcan be reduced to that of securely computing just two securemultiplications over the integers modulo the ECDSA curveorder q. Lindell uses multiplicative shares of the secret keyand nonce (hereafter called the instance key), and computes thesignature using the Paillier additive homomorphic encryptionscheme. We propose a new method to share the products whicheliminates the need for homomorphic encryption.

Recall the signing equation for ECDSA,

sig ..=H(m) + sk · rx

k

where m is the message, H is a hash function, sk is thesecret key, k is the instance key, and rx is the x-coordinateof the elliptic curve point R = k ·G (G being the generatorfor the curve). Suppose that k = kA · kB such that kA andkB are randomly chosen by Alice and Bob respectively, andR = (kA · kB) ·G, and suppose that sk = skA · skB. Alice andBob can learn R (and thus rx) securely via Diffie-Hellman [31]exchange, and they receive m as input. Rearranging, we have

sig = H(m) ·(

1

kA· 1

kB

)+ rx ·

(skAkA· skBkB

)which identifies the two multiplications on private inputsthat are necessary. In our scheme, the results of of thesemultiplications are returned as additive secret shares to Aliceand Bob. Since the rest of the equation is distributive over theseshares, Alice and Bob can assemble shares of the signaturewithout further interaction. Alice sends her share to Bob, whoreconstructs sig and checks that it verifies.

To compute these multiplications, one could apply genericmulti-party computation over arithmetic circuits, but genericMPC techniques incur large practical costs in order to achievemalicious security. Instead, we construct a new two-partymultiplication protocol, based upon the semi-honest Oblivious-Transfer (OT) multiplication technique of Gilboa [32], whichwe harden to tolerate malicious adversaries. Note that even ifthe original Gilboa multiplication protocol is instantiated witha malicious-secure OT protocol, it is vulnerable to a simpleselective failure attack whereby the OT sender (Alice) canlearn one or more bits of the secret input of the OT receiver(Bob). We mitigate this attack by encoding the Bob’s inputrandomly, such that Alice must learn more than a statisticalsecurity parameter number of bits in order to determine hisunencoded input.

Unfortunately Bob may also cheat and learn somethingabout Alice’s secrets by using inconsistent inputs in the twodifferent multiplication protocols, or by using inconsistentinputs between the multiplications and the Diffie-Hellmanexchange. In order to mitigate this issue, we introduce a simpleconsistency check which ensures that Bob’s inputs correspondto his shares of the established secret key and instance key. Inessence, Alice and Bob combine their shares with the secretkey and instance key in the exponent, such that if the shares areconsistent then they evaluate to a constant value. This check isa novel and critical element of our protocol, and we conjecturethat it can be applied to other domains.

Our signing protocol can easily be adapted for thresholdsigning among n parties with a threshold of two. This requiresthe addition of a special n-party setup protocol, and themodification of the signing protocol to allow the parties toprovide additive shares of their joint secret key rather thanmultiplicative shares. Surprisingly, this incurs an overheadequivalent to less than half of an ordinary multiplication.

B. Our Contributions

1) We present an efficient n-party ECDSA key generationprotocol and prove it secure in the Random Oracle Model

2

under the Computational Diffie-Hellman assumption.2) We present an efficient two-party, two-round ECDSA

signing protocol that is secure under the ComputationalDiffie-Hellman assumption and the assumption that theresulting signature is itself secure. Since CDH is impliedby the Generic Group Model, under which ECDSA isproven secure, we require no additional assumptionsrelative to ECDSA itself.

3) We formulate a new ideal functionality for multi-partyECDSA signing that permits our signing protocol toachieve much better practical efficiency than it could if itwere required to adhere to the standard functionality. Wereduce the security of our functionality to the security ofthe classic signature game in the Generic Group Model.

4) In service of our main protocol, we devise a variantof Gilboa’s multiplication by oblivious transfer tech-nique [32] that may be of independent interest. It usesrandomized input-encoding along with a new consistencycheck to maintain security against malicious adversaries.

5) At the core of our multiplication protocol is an oblivioustransfer scheme based upon the Simplest OT [33] andKOS [34] OT-extension protocols. We introduce a newcheck system to avoid the issues that have recently castdoubt on the UC-security of Simplest OT [35].

6) We provide an implementation of our protocol in Rust,and demonstrate its efficiency under real-world conditions.We find our implementation can produce roughly 320signatures per second per core on commodity hardware.

C. Organization

The remainder of this document is organized as follows.In Section II we review essential concepts and definitions,and in Section III we discuss the ideal functionality that ourprotocols will realize. In Section IV we specify a basic two-party protocol, which we extend to support 2-of-n thresholdsigning in Section V. In Section VI we describe the multi-plication primitive that we use. In Section VII we present acomparative analysis of our protocols. In Section VIII, wedescribe our implementation and present benchmark results. Inthe appendices we describe our OT primitive, further discussthe functionalities we use, and prove our protocols secure.

II. PRELIMINARIES AND DEFINITIONS

A. Notation and Conventions

We denote curve points with capitalized variables and scalarswith lower case. Vectors are given in bold and indexed bysubscripts, while matrices are denoted by bold capitals, withsubscripts and superscripts representing row indices and columnindices respectively. Thus xi is the ith element of the vectorx, which is distinct from the variable x. We use = to denoteequality, ..= for assignment,← for sampling an instance from adistribution, and

c≡ to indicate computational indistinguishabil-ity for two distributions. The ith party participating in a protocolis denoted with Pi, and when only two parties participate, theyare called Alice and Bob for convenience. Throughout thisdocument, we use κ to represent the security parameter of the

elliptic curve over which our equations are evaluated, and weuse s for a statistical security parameter.

In functionalities, we assume standard and implicit bookkeep-ing. In particular, we assume that along with the other messageswe specify, session IDs and party IDs are transmitted so thatthe functionality knows to which instance a message belongsand who is participating in that instance, and we assume thatthe functionality aborts if a party tries to reuse a session ID,send messages out of order, &c. We use slab-serif to denotemessage tokens, which communicate the function of a messageto its recipients. For simplicity we omit from a functionality’sspecifier all parameters that we do not actively use. So, forexample, many of our functionalities are parameterized by agroup G of order q, but we leave implicit the fact that in anygiven instantiation all functionalities use the same group.

Finally, we use H throughout this document to denote a hashfunction, which is modeled as a random oracle. It takes theform Hn : {0, 1}∗ 7→ Znq . That is, the range of the functionis n elements from Zq, where n is given as a superscript,and assumed to be 1 if absent. If a subscript is present in acall to H , then the function returns only the element fromits output that is indexed by the subscript. Thus, for example,H2(x) = (H2

1 (x), H22 (x)).

B. Digital Signatures

Definition 1 (Digital Signature Scheme [36]).A Digital Signature Scheme is a tuple of probabilistic polyno-mial time (PPT) algorithms, (Gen,Sign,Verify) such that:

1) Given a security parameter κ, the Gen algorithm outputsa public key/secret key pair: (pk, sk)← Gen(1κ)

2) Given a secret key sk and a message m, the Sign algorithmoutputs a signature σ: σ ← Signsk(m)

3) Given a message m, signature σ, and public key pk, theVerify algorithm outputs a bit b indicating whether thesignature is valid or invalid: b ..= Verifypk(m,σ)

A Digital Signature Scheme satisfies two properties:1) (Correctness) With overwhelmingly high probability, all

valid signatures must verify. Formally, we require that over(pk, sk)← Gen(1κ) and all messages m in the messagespace,

Prpk,sk,m

[Verifypk(m,Signsk(m)) = 1

]> 1− negl(κ)

2) (Existential Unforgeability) No adversary can forge asignature for any message with greater than negligibleprobability, even if that adversary has seen signatures forpolynomially many messages of its choice. Formally, forall PPT adversaries A with access to the signing oracleSignsk(·), where Q is the set of queries A asks the oracle,

Prpk,sk

[Verifypk (m,σ) = 1 ∧m /∈ Q :

(m,σ)← ASignsk(·) (pk)

]< negl(κ)

C. ECDSA

The ECDSA algorithm is parameterized by a group G oforder q generated by a point G on an elliptic curve over the

3

finite field Zp of integers modulo a prime p. The algorithmmakes use of the hash function H . Curve coordinates andscalars are represented in κ = |q| bits, which is also the securityparameter. A number of standard curves with various securityparameters have been promulgated [8]. Assuming a curve hasbeen fixed, the ECDSA algorithms are as follows [36]:

Algorithm 1. Gen(1κ):1) Uniformly choose a secret key sk← Zq .2) Calculate the public key as pk ..= sk ·G.3) Output (pk, sk).

Algorithm 2. Sign(sk ∈ Zq,m ∈ {0, 1}∗):1) Uniformly choose an instance key k ← Zq .2) Calculate (rx, ry) = R ..= k ·G.3) Calculate

sig ..=H(m) + sk · rx

k

4) Output σ ..= (sig mod q, rx mod q).

Algorithm 3. Verify(pk ∈ G,m, σ ∈ (Zq,Zq)):1) Parse σ as (sig, rx).2) Calculate

(r′x, r′y) = R′ ..=

H(m) ·G+ rx · pksig

3) Output 1 if and only if (r′x mod q) = (rx mod q).

The initial publication of the ECDSA algorithm did notinclude a rigorous proof of security; this proof was laterprovided by Brown [37] in the Generic Group Model, basedupon the hardness of discrete logarithms and the assumptionthat the hash function H is collision resistant and uniform.Vaudenay [38] surveys this and other ECDSA security results,and Koblitz and Menezes provide some analysis and critiqueof the proof technique [39]. In this work, we simply assumethat ECDSA is secure as specified in Definition 1.

D. Oblivious Transfer

Our construction uses a 1-of-2 Oblivious Transfer (OT)system, which is a cryptographic protocol evaluated by twoparties: a sender and a receiver. The sender submits as inputtwo private messages, m0 and m1; the receiver submits a singlebit b, indicating its choice between those two. At the end of theprotocol, the receiver learns the message mb, and the senderlearns nothing. In particular, the sender does not learn the valueof the bit b, and the receiver does not learn the value of themessage mb̄. 1-of-2 OT was introduced by Evan et al. [40],and is distinct from the earlier Rabin-style OT [41], [42]. Fora complete formal definition, we refer the reader to Naor andPinkas [43]. Beaver [44] later introduced the notion of OT-extension, by which a few instances of Oblivious Transfer canbe extended to transfer polynomially many messages usingonly symmetric-key primitives. For reasons of efficiency, manymodern protocols use OT-extension rather than plain OT.

III. TWO FUNCTIONALITIES

As our scheme is a multi-party computation protocol in themalicious security model, its security will be defined relativeto an ideal functionality. Prior works on threshold ECDSA [3],[4] present a functionality FECDSA that applies the thresholdmodel directly to the original ECDSA algorithms. The ECDSAGen algorithm becomes the first phase of FECDSA, and theECDSA Sign algorithm becomes the second.

Functionality 1. FECDSA:This functionality is parameterized by a group G of orderq (represented in κ bits) generated by G, as well as hashfunction H . The setup phase runs once with a group ofparties {Pi}i∈[1,n], and the signing phase may be run manytimes between any two specific parties from this group. Forconvenience, we refer to these two parties as Alice and Bob.Setup (2-of-n): On receiving (init) from all parties:

1) Sample and store the joint secret key, sk← Zq .2) Compute and store the joint public key, pk ..= sk ·G.3) Send (public-key, pk) to all parties.4) Store (ready) in memory.

Signing: On receiving (sign, idsig,B,m) from Alice and(sign, idsig,A,m) from Bob, if (ready) exists in memorybut (complete, idsig) does not exist in memory:

1) Sample k ← Zq and store it as the instance key.2) Compute (rx, ry) = R ..= k ·G.3) Compute

sig ..=H(m) + sk · rx

k

4) Collect the signature, σ ..= (sig mod q, rx mod q).5) Send (signature, idsig, σ) to Bob.6) Store (complete, idsig) in memory.

Our scheme does not realize FECDSA, but instead a newfunctionality FSampledECDSA, which we have formulated to allowus to build a protocol that requires only two rounds. It is wellknown that generic Multi-party Computation can compute anyfunction in two rounds [45], [46] (or even one round, witha complex setup procedure), but the challenge is to do soefficiently. It is natural to use a Diffie-Hellman exchange tocompute R, which would otherwise require expensive securepoint multiplication techniques, but this precludes either atwo-round protocol or use of the standard functionality foran intuitive reason: in the (basic) Diffie-Hellman exchange,Bob sends DB

..= kB · G to Alice, who replies to Bob withDA

..= kA ·G. Both Alice and Bob can compute R ..= kA ·kB ·G.While Alice cannot learn the discrete logarithm of R, she doeshave the power to determine R itself due to the fact that shechooses kA after having seen DB. This conflicts with FECDSA,which requires that the functionality pick R. It is not obvioushow to solve this without adding rounds or using a muchmore expensive primitive, though we conjecture that a moreelaborate one-time setup procedure may provide a resolution.

Instead, we have devised FSampledECDSA. Relative to FECDSA,we divide the signing phase of the functionality into three parts,

4

allowing the parties to abort between them. In the first twoparts, Alice and Bob initiate a new signature for a message m,and a random instance key k is chosen by the functionality,along with R = k · G, which is returned to Alice. Alice ispermitted to request a new sampling of R from the functionalityarbitrarily many times (with a negligible chance of receiving afavorable value), and to choose from the sampled set one valueunder which the signature will be performed. If neither partyaborts, then in the third part the functionality will return asignature under the chosen R. This accounts for Alice’s abilityto manipulate the Diffie-Hellman exchange, and yet it ensuresthat she does not know the discrete logarithm of the value thatis eventually chosen, and that the value is uniform over G.

In Appendix C we prove in the Generic Group Model [47]that FSampledECDSA is no less secure than ECDSA itself. Wealso believe that a four-round variant of our protocol can realizethe FECDSA functionality directly.

Functionality 2. FSampledECDSA:This functionality is parametrized in a manner identicalto FECDSA. Note that Alice may engage in the OffsetDetermination phase as many times as she wishes.Setup (2-of-n): On receiving (init) from all parties:

1) Sample and store the joint secret key sk← Zq .2) Compute and store the joint public key pk ..= sk ·G.3) Send (public-key, pk) to all parties.4) Store (ready) in memory.

Instance Key Agreement: On receiving (new, idsig,m,B)from Alice and (new, idsig,m,A) from Bob, if (ready) existsin memory, and if (message, idsig, ·, ·) does not exist inmemory, and if Alice and Bob both supply the same messagem and each indicate the other as their counterparty, then:

1) Sample kB ← Zq .2) Store (message, idsig,m, kB) in memory.3) Send (nonce-shard, idsig, DB

..= kB ·G) to Alice.Offset Determination: On receiving (nonce, idsig, i, Ri)from Alice, if (message, idsig,m, kB) exists in memory, but(nonce, idsig, j, ·) for j = i does not exist in memory:

4) Sample k∆i ← Zq .

5) Store (nonce, idsig, i, Ri, k∆i ) in memory.

6) Compute k∆i,A = k∆

i /kB and send (offset, idsig, k∆i,A)

to Alice.Signing: On receiving (sign, idsig, i, kA) from Alice and(sign, idsig) from Bob, if (message, idsig,m, kB) exists inmemory and (nonce, idsig, j, Ri, k∆

i ) for j = i exists inmemory, but (complete, idsig) does not exist in memory:

7) Abort if kA · kB ·G 6= Ri.8) Set k ..= kA · kB + k∆

i and store (rx, ry) = R ..= k ·G.9) Compute

sig ..=H(m) + sk · rx

k

10) Collect the signature, σ ..= (sig mod q, rx mod q).11) Send (signature, idsig, R, k∆

i , σ) to Bob.12) Store (complete, idsig) in memory.

IV. A BASIC 2-OF-2 SCHEME

We describe a simplified 2-of-2 version of our schemeinitially, abstracting away the multiplication protocols for thesake of clarity. In Section V we extend our scheme to support2-of-n threshold signing. The fundamental structure of our 2-of-2 scheme is similar to that of Lindell [3] in that the signingprotocol ingests multiplicative shares of both the private keyand the instance key from each party.

A. Signing

Alice and Bob begin with m, the message to be signed, andmultiplicative shares of a secret key (skA and skB respectively),as well as a public key pk that is consistent with those shares.The protocol is divided into four logical steps:

1) Multiplication: The parties transform multiplicativeshares of the instance key into additive shares. A secondmultiplication converts multiplicative shares of the secretkey divided by the instance key into additive shares. Dueto the presence of the consistency check and verificationsteps (below), the multiplication protocols employed arenot required to enforce correctness or consistency ofinputs; thus we model multiplication via FMul (given inSection VI), which allows for well-specified cheating. Toinstantiate this functionality, we use the custom OT-basedmultiplication protocol that we describe in Section VI-B.

2) Instance Key Exchange: The parties calculate R = k ·Gusing a modified Diffie-Hellman exchange.

3) Consistency Check: The parties verify that the firstmultiplication uses inputs consistent with the InstanceKey Exchange. This is achieved by adding a random padφ to Alice’s input, and then combining the pad with themultiplication output and the known value R in sucha way that Bob can retrieve the pad only if he actedhonestly. A second check ensures that the multiplicationsare consistent with each other and with the public key, bycombining the multiplication outputs with the public keyin the exponent.

4) Signature and Verification: The parties reconstruct thesignature, which is given to Bob. If the signature verifiesin the usual way, then Bob outputs it.

The Instance Key Exchange component implements thesecond and third phases of the FSampledECDSA functionality,and the Multiplication, Consistency Check, and Verificationcomponents implement the fourth phase. Although we makea logical distinction between these four components, in theactual protocol they are intertwined. In particular, we reorderthe messages such that all messages from Bob to Alice comefirst, followed by all messages from Alice to Bob, which resultsin a two-message protocol. Additionally, rather than performthe consistency check directly, we use its associated value asa key to encrypt all subsequent communications, so that theprotocol can only be completed if the consistency check passes.

A proof of knowledge is necessary in order to ensure thatAlice’s inputs are extractable, and thus the protocol makes useof a zero-knowledge proof-of-knowledge-of-discrete-logarithm

5

functionality FRDL

ZK , which is specified in Appendix B. This canbe concretely instantiated by a Schnorr proof [24] and the Fiat-Shamir [48] or Fischlin [49] transform. We give the signingprotocol below, and in Figure 1 we provide an illustration, alongwith annotations indicating the logical component associatedwith each step.

Protocol 1. Two-party Signing(πSign2P-ECDSA

):

This protocol is parameterized by the Elliptic curve (G, G, q)and the hash function H . It relies upon the FMul and FRDL

ZK

functionalities. Alice and Bob provide their multiplicativesecret key shares skA, skB as input, along with identical copiesof the message m, and Bob receives as output a signature σ.Multiplication and Instance Key Exchange:

1) Bob chooses his secret instance key, kB ← Zq , and Alicechooses her instance key seed, k′A ← Zq . Bob computesDB

..= kB ·G and sends DB to Alice.2) Alice computes

R′ ..= k′A ·DB

kA ..= H(R′) + k′A

R ..= kA ·DB

3) Alice chooses a pad φ← Zq, and then Alice and Bobinvoke the FMul functionality with inputs φ+ 1/kA and1/kB respectively, and receive shares t1A and t1B of theirpadded joint inverse instance key

t1A + t1B =φ

kB+

1

kA · kBAlice and Bob also invoke FMul with inputs skA/kA andskB/kB. They receive shares t2A and t2B of their jointsecret key over their joint instance key

t2A + t2B =skA · skBkA · kB

The protocol instances that instantiate FMul are inter-leaved such that the messages from Bob to Alice aretransmitted first, followed by Alice’s replies.

4) Alice transmits R′ to Bob, who computes

R ..= H(R′) ·DB +R′

For both Alice and Bob let (rx, ry) = R.5) Alice submits (prove, kA, DB) to FRDL

ZK , and Bob sub-mits (prove, R,DB). Bob receives a bit indicatingwhether the proof was sound. If it was not, he aborts.

Consistency Check, Signature, and Verification:6) Alice and Bob both compute m′ = H(m).7) Alice computes the first check value Γ 1, encrypts her

pad φ with Γ 1, and transmits the encryption ηφ to Bob.

Γ 1 ..= G+ φ · kA ·G− t1A ·Rηφ ..= H(Γ 1) + φ

8) Alice computes her share of the signature sigA and thesecond check value Γ 2. She encrypts sigA with Γ 2 andthen transmits the encryption ηsig to Bob

sigA..= (m′ · t1A) + (rx · t2A)

Γ 2 ..= (t1A · pk)− (t2A ·G)ηsig ..= H(Γ 2) + sigA

9) Bob computes the check values and reconstructs thesignature

Γ 1 ..= t1B ·Rφ ..= ηφ −H(Γ 1)

θ ..= t1B − φ/kBsigB

..= (m′ · θ) + (rx · t2B)Γ 2 ..= (t2B ·G)− (θ · pk)sig ..= sigB + ηsig −H(Γ 2)

10) Bob uses the public key pk to verify that σ ..= (sig, rx)is a valid signature on message m. If the verificationfails, Bob aborts. If it succeeds, he outputs σ.

On the Structure of the Consistency Check: Because theconsistency check mechanism is non-obvious, we present aninformal justification for it here. In Appendix F, we prove themechanism formally secure. Suppose that we reorganized ourprotocol to omit Alice’s pad φ. Then we would have

t1A + t1B =1

kA · kBt2A + t2B =

skA · skBkA · kB

(t1A + t1B) · pk = (t2A + t2B) ·G

If Bob behaves honestly, he should use 1/kB and skB/kBas his inputs to the two multiplications. Suppose Bob cheatsby using different inputs; without loss of generality, we caninterpret his cheating as using inputs x+1/kB and skB/kB, inessence offsetting his input for the first multiplication by somevalue x relative to his input for the second multiplication:

t1A + t1B = 1/k + x/kA

(t1A + t1B) · pk = (t2A + t2B) ·G+ x · pk/kA

To pass the consistency check, Bob would need to calculatepk/kA, which we show by means of a reduction is as hard asbreaking the Computational Diffie-Hellman problem.

In our hypothetical scenario, it is tempting to take advantageof the fact that (t1A+t

1B)·R = G to design a similar mechanism

to verify that the first multiplication is consistent with theinstance key exchange, but a check based upon this principleis insecure. Again, if we suppose that Bob cheats by offsettinghis input for the multiplication by some value x relative to hisinput for the Diffie-Hellman exchange that produces R, then

t1A + t1B = 1/k + x/kA

(t1A + t1B) ·R = G+ x · kB ·G

Unfortunately, the offset produced is made up entirely ofelements known to Bob. We rectify this by introducing into the

6

abort if Verify(pk, σ) /= 1

Mulα

t αβ − t

βφ + 1/kA

tA1

1/kB

tB1

skA/kA

tA2

skB/kB

tB2

Mulα

t αβ − t

β

kB ← Z

q

skA ∈ Z

q

Alice Bob

Private Input Private Input

Algorithm Algorithm

Common Inputs

skB ∈ Z

q

pk ∈ Gm ∈ {0,1}*

m' := H(m) m' := H(m)

sig := sigB+ηsig −H(Γ 2)

σ := (sig mod q, rx mod q)

Output σ ∈ (Zq,Z

q)

sigA := m' · t

A1

+ rx · tA2

Γ 1 := tB1 · R

φ, k'A ← Z

q

DB := k

B · GD

BR' := k'A

· DB

kA := H(R' ) + k'

A

R' R := H(R' ) · DB

+ R'

(rx, r

y) = R(r

x, r

y) = R := k

A · D

B

Γ 1 := G + φ · kA

· G − tA1 · R

sigB := m' · θ + r

x · tB2

ηsig := H( Γ 2) + sigA

ηsig

ηφ := H( Γ 1) + φ ηφ φ := ηφ − H( Γ 1)

Γ 2 := tB2 · G − θ · pkΓ 2 := t

A1 · pk − t

A2 · G

θ := tB1 − φ/k

B

(kA,DB) (R,D

B)

ZK-DL(x,B)

xB=X

(X,B)

? abort if 0

Fig. 1: Illustrated Two-party Signing Scheme. Operations arecolor-coded according to the logical component with whichthey are associated: Multiplication , Instance Key Exchange ,Consistency Check , and Verification/Signing . We specify how to

instantiate the multiplication subprotocol (πMul) in Section VI-B.

equation a term that Bob cannot predict. Alice intentionallyoffsets her input to the multiplication using a pad φ, giving usthe system presented in πSign

2P-ECDSA. If Bob is honest, then

t1A + t1B = 1/k + φ/kB

t1B ·R = G+ φ · kA ·G− t1A ·R

which implies that both Alice and Bob can compute t1B · R.On the other hand, if Bob is dishonest, then

t1A + t1B = 1/k + φ/kB + x/kA + x · φt1B ·R = G+ φ · kA ·G+ x · kB ·G+ x · φ ·R− t1A ·R

Because x is unknown to Alice and φ is unknown to Bob,neither party is capable of calculating the offset that has beeninduced. Consequently, if Alice masks φ using the value oft1B · R that she expects Bob to have, then he will be able toremove the mask and retrieve φ if and only if he has behavedhonestly. Without knowledge of φ, he will not be able to passthe second consistency check or reconstruct the signature. Wenote that there is an assumption of circular security in thisconstruction, which we resolve via the Random Oracle Model.

B. Setup

We now present a simplified setup protocol for two parties.This protocol does not implement the setup phase of theFSampledECDSA functionality, as it does not support thresholdsigning (we extend it to do so in Section V), but it does providea similar functionality to the setup protocol of Lindell [3]. Inshort, it implements the ECDSA Gen algorithm, combiningmultiplicative secret key shares via a simple Diffie-Hellmankey exchange. Proofs of knowledge are necessary in orderto ensure that if the protocol completes then the parties arecapable of signing; in addition to the FRDL

ZK functionality, thisprotocol makes use of a commit-and-prove variant FRDL

Com-ZK,which is specified in Appendix B. Finally, the parties notifythe FMul functionality that they are ready, which correspondsto the initialization of OT-extensions.

Protocol 2. Two-party Setup(πSetup2P-ECDSA

):

This protocol is parameterized by the Elliptic curve (G, G, q),and relies upon the FMul, FRDL

ZK , and FRDL

Com-ZK functionalities.It takes no input and yields the secret key shares skA and skBto Alice and Bob respectively, along with the joint public keypk to both parties.Public Key Generation:

1) Alice and Bob sample skA ← Zq and skB ← Zq,respectively, and then they compute pkA

..= skA · Gand pkB

..= skB ·G.2) Alice submits (com-proof, skA, G) to FRDL

Com-ZK, andBob becomes aware of Alice’s commitment.

3) Bob sends pkB to Alice and submits (prove, skB, G) toFRDL

ZK . Alice submits (prove, pkB, G), and receives a bitindicating whether the proof was sound. If it was not,she aborts.

4) Alice sends pkA to Bob and instructs FRDL

Com-ZK to releasethe proof associated with her previous commitment. Bobsubmits (prove, pkA, G), and receives a bit indicatingwhether the proof was sound. If it was not, he aborts.

5) Alice and Bob compute pk ..= skA · pkB = skB · pkA.Auxilliary Setup:

6) Alice and Bob both send the (init) messages to theFMul Functionality to initialize OT-extensions.

7

V. 2-OF-n THRESHOLD SIGNING

We now demonstrate a simple extension of our two-partyECDSA protocol for performing threshold signatures amongn parties, with a threshold of two. With this extension,our protocol realizes the FSampledECDSA functionality that wegave in Section III. In πSetup

2P-ECDSA, Alice and Bob suppliedmultiplicative shares skA and skB of their joint secret key. Inthe threshold setting we will be working with a set of partiesP of size n, each party i with a secret key share ski, andwe demand that if the setup does not abort then any pair ofparties can sign. In order to achieve this, we specify that in thethreshold setting, the joint secret key sk is calculated as thesum of the parties’ contributions, rather than as the product:

sk ..=∑i∈[1,n]

ski

In other words, the parties’ individual secret keys represent an n-of-n sharing of sk. It is natural to use a threshold secret sharingscheme to convert these into a 2-of-n sharing. Specifically, weuse Shamir Secret Sharing [16], and a simple consistency checkallows us to guarantee security against malicious adversaries.

From Shamir shares, any two parties can generate additiveshares of the joint secret key. However, our 2-of-2 signingprotocol (πSign

2P-ECDSA) required multiplicative shares as its input.We will need to modify the signing protocol slightly to accountfor the change. First, we present our 2-of-n setup procedure.

A. Setup

Protocol 3. 2-of-n Setup(π2P-SetupnP-ECDSA

):

This protocol is parameterized by the Elliptic curve (G, G, q),and relies FMul and FRDL

Com-ZK functionalities. It runs among agroup of parties P of size n, taking no input, and yieldingto each party Pi a point p(i) on the polynomial p, a secretkey share ski, and the joint public key pk.Public Key Generation:

1) For all i ∈ [1, n], Party Pi samples ski ← Zq .2) For all i ∈ [1, n], Party Pi calculates pki

..= ski ·G andsubmits (com-proof, ski, G) to FRDL

Com-ZK, which notifiesthe other parties that Pi is committed. When Pi becomesaware of all other parties’ commitments, it sends pkito the other parties and instructs FRDL

Com-ZK to release itsproof to them. All other parties submit (prove, pki, G)and receive a bit indicating whether the proof was sound.If any party’s proof fails to verify, then all parties abort.

3) All parties compute the shared public key

pk ..=∑i∈[1,n]

pki

4) For all i ∈ [1, n], Pi chooses a random line given by thedegree-1 polynomial pi(x), such that pi(0) = ski. Forall j ∈ [1, n], Pi sends pi(j) to Pj and receives pj(i).

5) For all i ∈ [1, n], Pi computes its point

p(i) ..=∑j∈[1,n]

pj(i)

It also computes a commitment to its share of the secretkey, Ti ..= p(i) ·G, and broadcasts Ti to all other parties.

6) All parties abort if there exists i ∈ [2, n] such that

λ(i−1),i · Ti−1 + λi,(i−1) · Ti 6= pk

where λ(i−1),i and λi,(i−1) are the appropriate Lagrangecoefficients for Shamir-reconstruction between Pi−1 andPi. If any party holds a point p(i) that is inconsistentwith the polynomial held by the other parties, then thischeck will fail.

Auxilliary Setup:7) Every pair of parties Pi and Pj such that i < j send

the (init) message to the FMul functionality.

A Note on General Thresholds: We note that a slightgeneralization of the π2P-Setup

nP-ECDSA protocol allows it to performsetup for any threshold t such that t ≤ n. The only requiredchanges are the use of polynomials of the appropriate degree(as in Shamir Secret Sharing), and the evaluation of theconsistency check in Step 6 over contiguous threshold-sizedgroups of parties. However, our signing protocol is not so easilygeneralized; therefore we leave general threshold signing tofuture work, and focus here on the 2-of-n case.

B. Signing

Once the setup is complete, suppose two parties from the setP (we will resume referring to them as Alice and Bob) wishto sign. They can use Lagrange interpolation [50] to constructadditive shares t0A and t0B of the secret key, but the signingalgorithm we have previously described requires multiplicativeshares. To account for this, we modify our signing algorithmin the following intuitive way: originally, the second invocationof FMul took skA/kA from Alice and skB/kB from Bob andcomputed additive shares of the product

skA · skBkA · kB

We replace this with two invocations of FMul that calculate

t0AkA · kB

andt0B

kA · kBrespectively. Alice and Bob can then locally sum their outputsfrom these two multiplications to yield shares of

t0A + t0BkA · kB

=sk

k

What follows is our 2-of-n signing protocol, in its entirety.We note that the Consistency Check, Signature, and Verificationphase of this protocol is identical to the corresponding phasein the πSign

2P-ECDSA protocol that we gave in Section IV-A.

8

Protocol 4. 2-of-n Signing(π2P-SignnP-ECDSA

):

This protocol is parameterized identically to πSign2P-ECDSA, except

that Alice and Bob provide Shamir-shares p(A), p(B) of skas input, rather than multiplicative shares.Key Share Reconstruction:

1) Alice locally calculates the correct Lagrange coefficientλA,B for Shamir-reconstruction with Bob. Bob likewisecalculates λB,A. They then use their respective pointsp(A), p(B) on the polynomial p to calculate additiveshares of the secret key

t0A..= λA,B · p(A) t0B

..= λB,A · p(B)

Multiplication and Instance Key Exchange:2) Bob chooses his instance key, kB ← Zq, and Alice

chooses her instance key seed, k′A ← Zq . Bob computesDB

..= kB ·G and sends DB to Alice.3) Alice computes

R′ ..= k′A ·DB

kA ..= H(R′) + k′A

R ..= kA ·DB

4) Alice chooses a pad φ← Zq, and then Alice and Bobinvoke the FMul functionality with inputs φ+ 1/kA and1/kB respectively, and receive shares t1A and t1B of theirpadded joint inverse instance key.

5) Alice and Bob invoke the FMul functionality with inputst0A/kA and 1/kB respectively. They receive shares t2a

A , t2aB

of Alice’s secret key share over their joint instance key

t2aA + t2a

B =t0A

kA · kB6) Alice and Bob invoke the FMul functionality with inputs

1/kA and t0B/kB respectively. They receive shares t2bA , t

2bB

of Bob’s secret key share over their joint instance key

t2bA + t2b

B =t0B

kA · kB7) Alice and Bob merge their respective shares

t2A..= t2a

A + t2bA t2B

..= t2aB + t2b

B

8) Alice transmits R′ to Bob, who computes

R ..= H(R′) ·DB +R′

For both Alice and Bob let (rx, ry) = R.9) Alice submits (prove, kA, DB) to FRDL

ZK and Bob submits(prove, R,DB). Bob receives a bit indicating that theproof was sound. If it was not, he aborts.

Consistency Check, Signature, and Verification:10) Alice and Bob both compute m′ = H(m).11) Alice computes the first check value Γ 1, encrypts her

pad φ with Γ 1, and transmits the encryption ηφ to Bob.

Γ 1 ..= G+ φ · kA ·G− t1A ·R

ηφ ..= H(Γ 1) + φ

12) Alice computes her share of the signature sigA and thesecond check value Γ 2. She encrypts sigA with Γ 2 andthen transmits the encryption ηsig to Bob

sigA..= (m′ · t1A) + (rx · t2A)

Γ 2 ..= (t1A · pk)− (t2A ·G)ηsig ..= H(Γ 2) + sigA

13) Bob computes the check values and reconstructs thesignature

Γ 1 ..= t1B ·Rφ ..= ηφ −H(Γ 1)

θ ..= t1B − φ/kBsigB

..= (m′ · θ) + (rx · t2B)Γ 2 ..= (t2B ·G)− (θ · pk)sig ..= sigB + ηsig −H(Γ 2)

14) Bob uses the public key pk to verify that σ ..= (sig, rx)is a valid signature on message m. If the verificationfails, Bob aborts. If it succeeds, he outputs σ.

VI. MULTIPLICATION WITH OT EXTENSIONS

Both our 2-of-2 and 2-of-n signing protocols depend upon afunctionality that computes an additive sharing of the productof two inputs. We wish the protocol that implements thisfunctionality to be secure against malicious adversaries andpractically efficient in the non-amortized setting. Furthermore,if our signing protocols are to be only two messages overall,then our multiplication protocol must comprise a single messagefrom Bob to Alice, followed by a reply, and no furtherinteraction. These requirements preclude generic approachessuch SPDZ [51] or MASCOT [52]. Instead, we devise anew variant of the classic Gilboa oblivious multiplicationconstruction [32], which is based upon Oblivious Transfer.Whereas Gilboa’s original formulation is only semi-honestsecure, our modified technique ensures security against activeadversaries, while allowing one party to induce (simulatable)additive errors into the output, which can be detected via thefinal signature verification in the broader context of our signingscheme. Specifically, our multiplication protocol realizes thefollowing multiplication-with-errors functionality.

Functionality 3. FMul:This functionality is parameterized by the group order q. Itruns with two parties, Alice and Bob, who may participate inthe Init phase once, and the Bob-input and Multiply phasesas many times as they wish.Init: Wait for message (init) from Alice and Bob. Store(init-complete) in memory and send (init-complete)to Bob.Bob-input: On receiving (input, idmul, β) from Bob, if(bob-input, idmul, ·, ·) with the same idmul does not existin memory, and if (init-complete) does exist in memory,

9

and if β ∈ Zq, then sample tA ← Zq uniformly atrandom, store (bob-input, idmul, β, tA) in memory, and send(bob-ready, idmul, tA) to Alice.Multiply: On receiving (input, idmul, α, δ, c) from Alice, ifthere exists a message of the form (bob-input, idmul, β, tA)in memory with the same idmul, and if (complete, idmul)does not exist in memory, and if α, δ ∈ Zq and c ∈ Z∗ suchthat c ≥ 1 ⇐⇒ δ 6= 0, then:

1) Toss c coins, and if any of them output 1, then send(cheat-detected) to Bob.

2) Otherwise, calculate tB ..= α · β + δ − tA and send(output, idmul, tB) to Bob.

3) Store (complete, idmul) in memory.

A. Oblivious Transfer

In order to improve the practical efficiency of our algorithm,we base our multiplier upon Correlated Oblivious TransferExtensions rather than traditional OT. Whereas in plain OT, thesender provides two messages, in Correlated OT, the senderprovides one correlation (in our case, an additive correlation),and the messages are generated randomly under this constraint.

What follows is a Correlated OT-extension functionalitythat allows arbitrarily many Correlated OT instances to beexecuted in batches of size `. For each batch, the receiverinputs a vector of choice bits ω ∈ {0, 1}`, following whichthe sender inputs a vector of correlations α ∈ G1 × G2 ×. . .×G` (each element αi being in some agreed-upon groupGi). The functionality samples ` random pads, each pad ibeing from the corresponding group Gi, and sends them to thesender. To the receiver it sends only the pads if the sender’scorresponding choice bits were 0, or the sum of the pads andtheir corresponding correlations if the sender’s correspondingchoice bits were 1. Note that this functionality is nearly identicalto the one presented by Keller et al. [34], but we add flexiblecorrelation lengths, an initialization phase, and the ability toperform extensions (each batch of extensions indexed by afresh extension index idext) only after the initialization hasbeen performed.

Functionality 4. F`COTe:This functionality is parameterized by the group order q andthe batch size `. It runs with two parties, a sender S and areceiver R, who may participate in the Init phase once, andthe Choice and Transfer phases as many times as they wish.Init: On receiving (init) from both parties, store (ready)in memory and send (init-complete) to the receiver.Choice: On receiving

(choose, idext,ω

)from the receiver,

if(choice, idext, ·

)with the same idext does not exist in

memory, and if (ready) does exist in memory, and if ω isof the correct form, then send (chosen) to the sender andstore

(choice, idext,ω

)in memory.

Transfer: On receiving(transfer, idext,α

)from the

sender, if a message of the form(choice, idext,ω

)exists in

memory with the same idext, and if(complete, idext

)does

not exist in memory, and if α is of the correct form, then:

1) Sample a vector of random pads tS ← G1×G2×. . .×G`2) Send (pads, tS) to the sender.3) Compute {tRi}i∈[1,`]

..= {ωi ·αi − tSi}i∈[1,`].4) Send (padded-correlation, tR) to the receiver.5) Store (complete, idext) in memory.

We instantiate this functionality using the protocol of Kelleret al. [34]. As with all OT-extension protocols, a base-OTprotocol is required. Here we use the Simplest OT protocolof Chou and Orlandi [33], which we modify by adding anew check, to overcome a weakness in the proof of theoriginal formulation. The details of these protocols and ofour modifications are given in Appendix A.

B. Single Multiplication

The classic Gilboa OT-multiplication [32] takes an input fromAlice and an input from Bob, and returns to them additivesecret shares of the product of those two inputs. It worksessentially by performing binary multiplication with a singleoblivious transfer for each bit in Bob’s input. Unfortunately,this protocol is vulnerable to selective failure attacks in themalicious setting. Alice can corrupt one of the two messagesduring any single transfer, and in doing so learn the value ofBob’s input bit for that transfer according to whether or nottheir outputs are correct. We address this by encoding Bob’sinput with enough redundancy that learning s (a statisticalsecurity parameter) of Bob’s choice bits via selective failuredoes not leak information about the original input value. Abit-by-bit consistency check ensures that the parties abort withhigh probability if an inconsistent message is selected by Bob,and thus the probability that Alice succeeds in more thans selective failures is exponentially small. A proposition ofImpagliazzo and Naor [53] gives us the following encodingscheme: for an input β of length κ, sample κ+2s random bitsγ ← {0, 1}κ+2s and take the dot product with some publicrandom vector gR ∈ Zκ+2s

q . Use this dot product as a maskfor the original input. The encoding function is defined as

Algorithm 4. Encode(gR ∈ Zκ+2sq , β ∈ Zq):

1) Sample γ ← {0, 1}κ+2s

2) Output Bits (β − 〈gR,γ〉) ‖γ

In Appendix E, we prove formally that this encoding schemeproduces codewords with the property that even if one knowsthe message encoded, guessing any substring of a codeword isalmost as hard as guessing a uniformly sampled string of thesame length. We also prove that the following protocol realizesFMul.

Protocol 5. Multiplication (πMul):This protocol is parameterized by the statistical securityparameter s, the curve order q, and the symmetric securityparameter κ = |q|. It also makes use of a coefficient vectorg = gG‖gR, where gG ∈ Zκq is a gadget vector suchthat gG

i = 2i−1, and gR ← Zκ+2sq is a public random

vector. It requires access to the Correlated Oblivious Transfer

10

functionality F`COTe. Alice supplies some input integer α ∈ Zq ,and Bob supplies some input integer β ∈ Zq . Alice and Bobreceive tA and tB ∈ Zq as output, respectively, such thattA + tB = α · β.Encoding:

1) Bob encodes his input

ω ..= Encode(gR, β)

2) Alice samples α̂← Zq and sets

α ..= {α‖α̂}j∈[1,2κ+2s]

Multiplication:3) Alice and Bob access the F`COTe functionality, with batch

size ` ..= 2κ+ 2s. Alice plays the sender, supplying αas her input, and Bob, the receiver, supplies ω. Theyreceive as outputs, respectively, the arrays{

tAj

∥∥∥t̂Aj}j∈[1,2κ+2s]

and{

tBj

∥∥∥t̂Bj}j∈[1,2κ+2s]

That is, tA is a vector wherein each element contains thefirst half of the corresponding element in Alice’s outputfrom F`COTe, and t̂A is a vector wherein each elementcontains the second half. tB and t̂B play identical rolesfor Bob.

4) Alice and Bob generate two shared, random valuesby calling the random oracle. As input they use theshared components of the transcript of the protocol thatimplements F`COTe, in order the ensure that these valueshave a temporal dependency on the completion of theprevious step. In our proofs, we abstract this step as acoin tossing protocol.

(χ, χ̂)← H2(transcript)

5) Alice computes

r ..={χ · tAj + χ̂ · t̂Aj

}j∈[1,2κ+2s]

u ..= χ · α+ χ̂ · α̂

and sends r and u to Bob6) Bob aborts if∨

j∈[1,2κ+2s]

(χ · tBj + χ̂ · t̂Bj 6= ωj · u− rj

)7) Alice and Bob compute their output shares

tA ..=∑

j∈[1,2κ+2s]

gj · tAj tB ..=∑

j∈[1,2κ+2s]

gj · tBj

C. Coalesced Multiplication

The multiplication protocol described in the foregoing sectionsupports the multiplication of only a single integer α by asingle integer β, and in our two-party and 2-of-n signingprotocols (πSign

2P-ECDSA and π2P-SignnP-ECDSA respectively) we invoke

the multiplication protocol two or three times. An optimizationallows these multiple invocations to be combined at reducedcost, albeit by breaking some of our previous abstractions.

Consider first the case of two-party signing, wherein twomultiplications must be performed. Each multiplication indi-vidually encodes its input, enlarging it by κ + 2s bits, andthen individually calls upon the F`COTe Correlated OT-extensionfunctionality with batch size ` = 2κ+ 2s. The protocol thatrealizes this functionality incurs some overhead, proportionateto a security parameter κOT, and two multiplications performedin the naïve way incur this cost twice. However, we observethat two multiplication protocol instances can share a singleinvocation of F`COTe simply by doubling the batch size, therebyreducing the extension cost by an amount proportionate to κOT.Furthermore, we observe that when the inputs are combinedinto a single extension instance, we can also combine theencodings of the inputs, reducing the overhead due to encodingfrom 2κ+ 4s additional OT instances to 2κ+ 2s. In a futureversion of this paper, we show that this coalesced encodingmaintains security.

Algorithm 5. Encode2(gR ∈ Zκ+2sq , β1 ∈ Zq, β2 ∈ Zq):

1) Sample γ1 ← {0, 1}κ,γ2 ← {0, 1}κ,γ3 ← {0, 1}2s2) Output

Bits(β1 − 〈gR,γ1‖γ3〉)‖γ1

‖ Bits(β2 − 〈gR,γ2‖γ3〉)‖γ2‖γ3

Further consider the case of 2-of-n signing, in which threemultiplications are used to compute the products

α1 · β1 α2a · β2 α2b · β1

Notice that in the first and third multiplications, Bob’s inputs areidentical, while in the second it differs. Consequently, we canperform the third multiplication by extending the appropriatepart Alice’s input, while keeping Bob’s input the same.

Protocol 6. Coalesced Triple Multiplication (πMul3):This protocol is parameterized identically to πMul, except thatAlice supplies three inputs, α1, α2a, α2b and receives threeoutputs, t1A, t

2aA , t

2bA . Bob supplies only two inputs, β1, β2,

and likewise receives t1B, t2aB , t

2bB .

Encoding:1) Bob encodes his input

ω ..= Encode2(gR, β1, β2)

2) Alice samples α̂1, α̂2a, α̂2b ← Zq and sets

α ..={α1∥∥∥α̂1

∥∥∥α2a∥∥∥α̂2a

}j∈[1,2κ]

‖{α2b∥∥∥α̂2b

}j∈[1,2κ]

‖{α1∥∥∥α̂1

∥∥∥α2a∥∥∥α̂2a

∥∥∥α2b∥∥∥α̂2b

}j∈[1,2s]

Multiplication:3) Alice and Bob access the F`COTe functionality, with batch

size ` ..= 4κ+ 2s. Alice plays the sender, supplying α

11

as her input, and Bob, the receiver, supplies ω. Alicereceives as output the array{

t1Aj

∥∥∥t̂1

Aj

∥∥∥t2aAj

∥∥∥t̂2a

Aj

}j∈[1,2κ]

‖{

t2bAj

∥∥∥t̂2b

Aj

}j∈[1,2κ]

‖{

t1Aj

∥∥∥t̂1

Aj

∥∥∥t2aAj

∥∥∥t̂2a

Aj

∥∥∥t2bAj

∥∥∥t̂2b

Aj

}j∈[2κ,2κ+2s]

and Bob receives a corresponding output array.The remainder of the protocol is identical to πMul, except thatthe linear check process is repeated for each of the tuples(t1A, t

1B, t̂

1

A, t̂1

B

) (t2aA , t

2aB , t̂

2a

A , t̂2a

B

) (t2bA , t

2bB , t̂

2b

A , t̂2b

B

)To compute three products in the naïve way, κ · (3κOT +

24κ+ 24s+ 9) bits must be transferred, with a proportionateamount of computation being performed. Using our optimized,coalesced multiplication, only κ · (κOT + 22κ+ 20s+ 5) bitsmust be transferred (again, with a proportionate amount ofcomputation). Concretely, if we use κ = 256, s = 80, andκOT = 128 + s (this being the overhead induced by the OT-extension protocol; our choice follows KOS [34]), then thetotal communication is reduced from to 271.8 to 232.7 KiB.

VII. COST ANALYSIS

When all of the optimizations have been applied and allfunctionalities and sub-protocols have been collapsed, we findthat our protocols have communication and computation costsas reported in Table I. Though we account completely for com-munications, we count only elliptic curve point multiplicationsand calls to the hash function H toward computation cost. Weassume that both commitments and the PRG are implementedvia the random oracle H , and that proofs-of-knowledge-of-discrete-logarithm are implemented via Schnorr protocols withthe Fiat-Shamir heuristic.

The 2-of-n setup protocol is somewhat more complex thanTable I indicates. Over its course, each of the n parties commitsto and then sends a single proof-of-knowledge-of-discrete-logarithm to all other parties in broadcast and then verifies then−1 proofs that it receives. The parties then compute and sendLagrange coefficients to one another, which requires O(n2)(parallel) communication in total, and this pattern repeats forverification. Finally, each party evaluates a single KOS Setupinstance with every other party, for (n2 − n)/2 instances intotal. The entire protocol requires four broadcast rounds, plusthe messages required by the KOS Setup instances.

For ease of comparison, concrete communication costsfor our signing protocol along with the signing protocols ofGennaro et al. [4], Boneh et al. [5], and Lindell [3] are listedin Table II. The former pair of schemes are related: Bonehet al. reduce the number of messages in Gennaro et al.’ssigning protocol from six to four, with the goal of reducing thecommunication cost. Apart from requiring only two messages,our signing protocol requires roughly one seventh of thecommunication incurred by either.

Lindell’s signing scheme requires four messages and excelsin terms of communication cost, only transferring a com-mitment, two curve points, two zero-knowledge proofs, andone Paillier ciphertext. However, the Paillier homomorphicoperations it requires are quite expensive. Lindell’s schemerequires one encryption, one homomorphic scalar multiplica-tion, and one homomorphic addition with a Paillier modulusN > 2q4 + q3; concretely, a standard 2048-bit modulus issufficient for a 256-bit curve. Gennaro et al. and Boneh et al.’sschemes both require one to three encryptions and three to fivehomomorphic additions and scalar multiplications per party,with N > q8, which likewise implies that for 256-bit curves, a2048-bit modulus is sufficient. In addition, Lindell’s protocolrequires 12 Elliptic Curve multiplications, while the protocolsof the other two require roughly 100. These Paillier and curveoperations dominate the computation cost of the protocols.

VIII. IMPLEMENTATION

We created a proof-of-concept implementation of our 2-of-2and 2-of-n setup and signing protocols in the Rust language.As a prerequisite, we also created an elliptic curve libraryin Rust. We use SHA-256 to instantiate the random oracleH , per the ECDSA specification, and in addition we use it toinstantiate the PRG. As a result, our protocol makes no concretecryptographic assumptions other than those already required byECDSA itself. The SHA-256 implementation used in signingis capable of parallelizing vectors of hash operations, and the2-of-n setup protocol is capable of parallelizing OT-extensioninitializations, but otherwise the code is strictly single-threaded.This approach has likely resulted in reduced performancerelative to an optimized C implementation, but we believethat the safety afforded by Rust makes the trade worthwhile.

We benchmarked our implementation on a pair of AmazonC5.2xlarge instances from Amazon’s Virginia datacenter,both running Ubuntu 16.04 with Linux kernel 4.4.0, and wecompiled our code using Rust 1.27 with the default levelof optimization. The bandwidth between our instances wasmeasured to be be 5GBits/Second, and the round-trip latency tobe 0.2 ms. Our signatures were calculated over the secp256k1curve, as standardized by NIST [6]. Thus κ = 256, and wechose s = 80 and κOT = 128 + s, following the analysisof KOS [34]. We performed both strictly single-threadedbenchmarks, and benchmarks allowing parallel hashing withthree threads per party, collecting 10,000 samples for setup and100,000 for signing. Note that signatures were not batched, andthus each sample was impacted individually by the full latencyof the network. The average wall-clock times for both signingprotocols and the 2-of-2 setup protocol are reported in Table III,along with results from previous works for comparison. Theseresults are taken directly from their respective sources, and werenot produced in our benchmarking environment. Nevertheless,we believe them to be comparable, due to the fact that theywere collected using a similar type of hardware and in similarnetwork conditions.

We benchmarked our 2-of-n setup algorithm using set of 20Amazon C5.2xlarge instances from the Virginia datacenter,

12

Rounds Communication (Bits)EC Multiplications Hash Function Invocations

Alice Bob Alice Bob

2-of-2 Setup 5 κ · (5κ+ 11) + 6 3κ+ 6 2κ+ 6 6κ+ 4 6κ+ 4

2-of-2 Signing 2 κ · (κOT + 16κ+ 14s+ 10) + 3 7 9 2κOT + 24κ+ 20s+ 9 3κOT + 20κ+ 14s+ 9

2-of-n Signing 2 κ · (κOT + 22κ+ 20s+ 11) + 3 7 9 2κOT + 32κ+ 28s+ 9 3κOT + 24κ+ 18s+ 9

Max Min Max Min

2-of-n Setup 5 (n2 − n) · (2.5κ2 + 8κ+ 4) nκ− κ+ 4 n+ 3 5nκ− 5κ+ 1 4nκ− 4κ+ 1

TABLE I: Communication and Computation Cost Equations For Our Protocol. We assume that the hash function H is used to implementthe PRG. Note that communication costs are totals for all parties over all rounds, whereas computation costs are given per party. In the2-of-n protocol the computation cost depends upon the identity of the party; consequently we give the minimum and maximum.

κ = 256 κ = 384 κ = 521

Lindell [3] 769 B 897 B 1043 BThis Work (2-of-2) 169.8 KiB 350.7 KiB 615.3 KiB

Gennaro et al. [4] ∼1808 KiB ∼4054 KiB ∼7454 KiBBoneh et al. [5] ∼1680 KiB ∼3768 KiB ∼6924 KiBThis Work (2-of-n) 232.8 KiB 481.3 KiB 844.7 KiB

TABLE II: Concrete Signing Communication Costs. Assuming 2-of-n signing for Gennaro et al. and Boneh et al., and 2-of-2 signingfor the protocol of Lindell. For our protocols, we use s = 80 andκOT = 128 + s.

This Work (3 threads) [3]

2-of-2 Setup 43.41 – 2435

2-of-2 Signing 3.26 3.12 36.8

This Work (3 threads) [4] [5]

2-of-n Signing 3.77 3.55 ∼650 ∼350

TABLE III: Wall-clock Times in Milliseconds over LAN, ascompared to the prior approaches of Lindell [3], Gennaro et al. [4],and Boneh et al. [5]. Note that hardware and networking environmentsare not necessarily equivalent, but all benchmarks were performedwith a single thread except where specified.

configured as before with one instance per party. For initializingOT-extensions, each machine was allowed to use as manythreads as there were parties, but the code was otherwisesingle-threaded. We collected 1000 samples for groups ofparties ranging in size from 3 to 20, and we report the resultsin Figure 2.

Transoceanic Benchmarks: We repeated our 2-of-2 setup,2-of-2 signing, and 2-of-n signing benchmarks with one of themachines relocated to Amazon’s Paris datacenter, collecting1,000 samples for setup and 10,000 for signing, and in the lattercase allowing three threads for hashing. In this configuration,the bandwidth between our instances was measured to be 155Mbps and the round-trip latency to be 78.2 ms. In addition, weperformed a 2-of-4 setup benchmark among four instances in

2 4 6 8 10 12 14 16 18 20Number of Parties

5075

100125150175

Exec

utio

n Ti

me

(ms)

Fig. 2: Wall Clock Times for 2-of-n Setup over LAN. Note thatall 20 parties reside on individual machines in the same datacenter,and latency is on the order of a few tenths of a millisecond.

Setup Signing2-of-2 2-of-4 (US) 2-of-10 (World) 2-of-2 2-of-n

354.36 376.86 1228.46 81.34 81.83

TABLE IV: Wall-clock Times in Milliseconds over WAN. Allbenchmarks were performed between one party in the eastern USand one in Paris, except the 2-of-4 setup benchmark, which wasperformed among four parties in four different US states, and the2-of-10 setup benchmark, which was performed among ten parties inAmerica, Europe, Asia, and Australia.

Amazon’s four US datacenters (Virginia, Ohio, California, andOregon), and we performed a 2-of-10 setup benchmark amongten instances in ten geographically distributed datacenters(Virginia, Ohio, California, Oregon, Mumbai, Sydney, Canada,Ireland, London, and Paris). The round-trip latency betweenthe US datacenters was between 11.2 ms and 79.9 ms and thebandwidth between 152 Mbps and 1.10 Gbps, while round-triplatency between the most distant pair of datacenters, Mumbaiand Ireland, was 282 ms, and the bandwidth was 39 Mbps.Results are reported in Table IV. We note that in contrast to oursingle-datacenter benchmarks, our transoceanic benchmarksare dominated by latency costs. We expect that our protocol’slow round count constitutes a greater advantage in this settingthan does its computational efficiency.

13

A. Comparison to Prior Work

We compare our implementation to those of Lindell [3],Gennaro et al. [4], and Boneh et al. [5] (who also provide anoptimized version of Gennaro et al.’s scheme, against whichwe make our comparison). Though Boneh et al. and Gennaroet al. support thresholds larger than two, we consider only theirperformance in the 2-of-n case. Neither Gennaro et al. norBoneh et al. include network costs in the timings they provide,nor do they provide timings for the setup protocol that theirschemes share. However, Lindell observes that Gennaro et al.’sscheme involves a distributed Paillier key generation protocolthat requires roughly 15 minutes to run in the semi-honestsetting. Unfortunately, this means we have no reliable point ofcomparison for our 2-of-n setup protocol.

Lindell benchmarks his scheme using a single core on eachof two Microsoft Azure Standard_DS3_v2 instances in thesame datacenter, which can expect bandwidth of roughly 3Gbps. Lindell’s performance figures do include network costs.In spite of the fact that Lindell’s protocol requires vastly lesscommunication, as reported in Section VII, we nonethelessfind that, not accounting for differences in benchmarkingenvironment, our implementation outperforms his for signingby a factor of roughly 11 (when only a single thread is allowed),and for setup by a factor of roughly 56.

Given that each 2-of-2 signature requires 169.8 KiB of datato be transferred under our scheme, but only 769 Bytes underLindell’s, there must be an environment in which his schemeoutperforms ours. Specifically Lindell has an advantage whenthe protocol is bandwidth constrained but not computationallyconstrained. Such a scenario is likely when a large number ofsignatures must calculated in a batched fashion (mitigating theeffects of latency) by powerful machines with a comparativelyweak network connection.

Finally, we note that an implementation of the ordinary(local) ECDSA signing algorithm in Rust using our own ellipticcurve library requires an average of 173 microseconds tocalculate a signature on our benchmark machines – a factor ofroughly 18 faster than our 2-of-2 signing protocol.

IX. ACKNOWLEDGMENTS

We thank Megan Chen and Emily Wang for their contribu-tions to this project during the summer of 2017. The authorsof this work are supported by NSF grants TWC-1646671and TWC-1664445. This work used the Extreme Scienceand Engineering Discovery Environment (XSEDE) Jetstreamcluster [54] through allocation TG-CCR170010, which issupported by NSF grant number ACI-1548562.

X. CODE AVAILABILITY

Our implementation is available under the three-clause BSDlicense from https://gitlab.com/neucrypt/mpecdsa/.

REFERENCES

[1] J. Doerner, Y. Kondi, E. Lee, and a. shelat, “Secure two-party thresholdecdsa from ecdsa assumptions,” in IEEE S&P, 2018.

[2] Y. Desmedt, “Society and group oriented cryptography: A new concept,”in CRYPTO, 1987.

[3] Y. Lindell, Fast Secure Two-Party ECDSA Signing, 2017.[4] R. Gennaro, S. Goldfeder, and A. Narayanan, Threshold-Optimal

DSA/ECDSA Signatures and an Application to Bitcoin Wallet Security,2016.

[5] D. Boneh, R. Gennaro, and S. Goldfeder, “Using level-1 homomorphicencryption to improve threshold dsa signatures for bitcoin wallet security,”http://www.cs.haifa.ac.il/~orrd/LC17/paper72.pdf, 2017.

[6] National Institute of Standards and Technology, “FIPS PUB 186-4:Digital Signature Standard (DSS),” http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf, 2013.

[7] American National Standards Institute, “X9.62: Public Key CryptographyFor The Financial Services Industry: The Elliptic Curve Digital SignatureAlgorithm (ECDSA),” 2005.

[8] D. R. L. Brown, “Sec 2: Recommended elliptic curve domainparameters,” 2010. [Online]. Available: http://www.secg.org/sec2-v2.pdf

[9] D. Kravitz, “Digital signature algorithm,” jul 1993, uS Patent 5,231,668.[10] S. Blake-Wilson, N. Bolyard, V. Gupta, C. Hawk, and B. Moeller, “Elliptic

curve digital signature algorithm (dsa) for dnssec,” https://tools.ietf.org/html/rfc4492, 2006.

[11] P. Hoffman and W. Wijngaards, “Elliptic curve digital signature algorithm(dsa) for dnssec,” https://tools.ietf.org/html/rfc6605, 2012.

[12] Bitcoin Wiki, “Transaction,” https://en.bitcoin.it/wiki/Transaction, 2017,accessed Oct 22, 2017.

[13] G. Wood, “Ethereum: A secure decentralised generalised transactionledger,” 2017. [Online]. Available: https://ethereum.github.io/yellowpaper/paper.pdf

[14] Y. G. Desmedt and Y. Frankel, “Threshold cryptosystems,” in CRYPTO,1989.

[15] T. ElGamal, “A public key cryptosystem and a signature scheme basedon discrete logarithms,” in CRYPTO, 1984.

[16] A. Shamir, “How to share a secret,” Commun. ACM, vol. 22, no. 11,Nov. 1979.

[17] T. P. Pedersen, “A threshold cryptosystem without a trusted party,” inEUROCRYPT, 1991.

[18] Y. Desmedt and Y. Frankel, “Shared generation of authenticators andsignatures (extended abstract),” in CRYPTO, 1991.

[19] R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digitalsignatures and public-key cryptosystems,” Commun. ACM, vol. 21, no. 2,Feb. 1978.

[20] Y. Desmedt and Y. Frankel, “Parallel reliable threshold multisignature,”1992.

[21] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin, “Robust and efficientsharing of rsa functions,” in CRYPTO, 1996.

[22] A. De Santis, Y. Desmedt, Y. Frankel, and M. Yung, “How to share afunction securely,” in STOC, 1994.

[23] V. Shoup, “Practical threshold signatures,” in EUROCRYPT, 2000.[24] C.-P. Schnorr, “Efficient identification and signatures for smart cards,”

in CRYPTO, 1989.[25] D. R. Stinson and R. Strobl, “Provably secure distributed schnorr

signatures and a (t, n) threshold scheme for implicit certificates,” inACISP, 2001.

[26] S. K. Langford, “Threshold dss signatures without a trusted party,” inCRYPTO, 1995.

[27] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin, “Robust thresholddss signatures,” in EUROCRYPT, 1996.

[28] P. MacKenzie and M. K. Reiter, Two-Party Generation of DSA Signatures,2001.

[29] Bitcoin Wiki, “Multisignature,” https://en.bitcoin.it/wiki/Multisignature,2017, accessed Oct 22, 2017.

[30] P. Paillier, “Public-key cryptosystems based on composite degreeresiduosity classes,” in EUROCRYPT, 1999.

[31] W. Diffie and M. Hellman, “New directions in cryptography,” IEEETrans. Inf. Theor., vol. 22, no. 6, Sep. 1976.

[32] N. Gilboa, “Two party rsa key generation,” in CRYPTO, 1999.[33] T. Chou and C. Orlandi, “The simplest protocol for oblivious transfer,”

in LATINCRYPT, 2015.[34] M. Keller, E. Orsini, and P. Scholl, “Actively secure OT extension with

optimal overhead,” in CRYPTO, 2015.[35] E. Hauck and J. Loss, “Efficient and universally composable protocols for

oblivious transfer from the cdh assumption,” Cryptology ePrint Archive,Report 2017/1011, 2017, http://eprint.iacr.org/2017/1011.

[36] J. Katz and Y. Lindell, Introduction to Modern Cryptography, SecondEdition, 2015, ch. Digital Signature Schemes, pp. 443–486.

14

[37] D. R. L. Brown, “Generic groups, collision resistance, and ecdsa,”Cryptology ePrint Archive, Report 2002/026, 2002, http://eprint.iacr.org/2002/026.

[38] S. Vaudenay, “The security of dsa and ecdsa,” in PKC, 2003.[39] N. Koblitz and A. Menezes, “Another look at generic groups,” Cryptology

ePrint Archive, Report 2006/230, 2006, https://eprint.iacr.org/2006/230.[40] S. Even, O. Goldreich, and A. Lempel, “A randomized protocol for

signing contracts,” Commun. ACM, vol. 28, no. 6, Jun. 1985.[41] M. O. Rabin, “How to exchange secrets with oblivious transfer,”

Cryptology ePrint Archive, Report 2005/187, 1981, http://eprint.iacr.org/2005/187, Harvard University Technical Report 81.

[42] S. Wiesner, “Conjugate coding,” SIGACT News, 1983.[43] M. Naor and B. Pinkas, “Computationally secure oblivious transfer,” J.

Cryptol., vol. 18, no. 1, Jan. 2005.[44] D. Beaver, “Correlated pseudorandomness and the complexity of private

computations,” in STOC, 1996.[45] Y. Ishai, E. Kushilevitz, R. Ostrovsky, M. Prabhakaran, and A. Sahai,

“Efficient non-interactive secure computation,” in EUROCRYPT, 2011.[46] A. Beimel, A. Gabizon, Y. Ishai, E. Kushilevitz, S. Meldgaard, and

A. Paskin-Cherniavsky, “Non-interactive secure multiparty computation,”in CRYPTO, 2014.

[47] V. Shoup, “Lower bounds for discrete logarithms and related problems,”in EUROCRYPT, 1997.

[48] A. Fiat and A. Shamir, “How to prove yourself: Practical solutions toidentification and signature problems,” in CRYPTO, 1986.

[49] M. Fischlin, “Communication-efficient non-interactive proofs of knowl-edge with online extractors,” in CRYPTO, 2005.

[50] E. Waring, Philosophy Transactions, no. 69, pp. 59–67, 1779.[51] I. Damgård, V. Pastro, N. Smart, and S. Zakarias, “Multiparty computation

from somewhat homomorphic encryption,” in CRYPTO, 2012.[52] M. Keller, E. Orsini, and P. Scholl, “Mascot: Faster malicious arithmetic

secure computation with oblivious transfer,” in CCS, 2016.[53] R. Impagliazzo and M. Naor, “Efficient cryptographic schemes provably

as secure as subset sum,” J. Cryptol., vol. 9, no. 4, Sep 1996.[54] C. Stewart, T. Cockerill, I. Foster, D. Hancock, N. Merchant,

E. Skidmore, D. Stanzione, J. Taylor, S. Tuecke, G. Turner, M. Vaughn,and N. Gaffney, “Jetstream: a self-provisioned, scalable science andengineering cloud environment,” in XSEDE Conference: ScientificAdvancements Enabled by Enhanced Cyberinfrastructure, 2015. [Online].Available: http://dx.doi.org/10.1145/2792745.2792774

[55] M. Byali, A. Patra, D. Ravi, and P. Sarkar, “Efficient, round-optimal,universally-composable oblivious transfer and commitment scheme withadaptive security,” Cryptology ePrint Archive, Report 2017/1165, 2017,https://eprint.iacr.org/2017/1165.

[56] P. S. L. M. Barreto, B. David, R. Dowsley, K. Morozov, and A. C. A.Nascimento, “A framework for efficient adaptively secure composableoblivious transfer in the rom,” Cryptology ePrint Archive, Report2017/993, 2017, https://eprint.iacr.org/2017/993.

[57] M. Fischlin, “A note on security proofs in the generic model,” inASIACRYPT, 2000.

[58] J. Stern, D. Pointcheval, J. Malone-Lee, and N. P. Smart, “Flaws inapplying proof methodologies to signature schemes,” in Advances inCryptology — CRYPTO 2002, M. Yung, Ed. Berlin, Heidelberg: SpringerBerlin Heidelberg, 2002, pp. 93–110.

[59] A. W. Dent, “Adapting the weaknesses of the random oracle model tothe generic group model,” in Advances in Cryptology — ASIACRYPT2002, Y. Zheng, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg,2002, pp. 100–109.

[60] D. Boneh and X. Boyen, “Short signatures without random oracles,”in Advances in Cryptology - EUROCRYPT 2004, C. Cachin and J. L.Camenisch, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2004,pp. 56–73.

[61] D. Boneh, X. Boyen, and H. Shacham, “Short group signatures,” inAdvances in Cryptology – CRYPTO 2004, M. Franklin, Ed. Berlin,Heidelberg: Springer Berlin Heidelberg, 2004, pp. 41–55.

[62] E. Bresson, O. Chevassut, and D. Pointcheval, New Security Results onEncrypted Key Exchange, 2004.

[63] R. Canetti, A. Jain, and A. Scafuro, “Practical uc security with a globalrandom oracle,” in CCS, 2014.

[64] R. Canetti, “Universally composable security: A new paradigm forcryptographic protocols,” in FOCS, 2001.

[65] R. Impagliazzo, L. A. Levin, and M. Luby, “Pseudo-random generationfrom one-way functions,” in STOC, 1989.

APPENDIX AOBLIVIOUS TRANSFER

We augment Simplest OT [33] with a verification procedureand refer to the new primitive as Verified Simplest OT (VSOT).VSOT is used as the basis for an instantiation of the KOS [34]OT-extension protocol, which is used in turn to build the OT-multiplication primitive required by our main signing protocol.

If we did not desire simulation-based malicious security, thenit may have been sufficient to use the Simplest OT schemewithout modification. In composing the protocol to build alarger simulation-sound malicious protocol however, there isa complication. The security proof relies upon the fact thatthe protocol’s hash queries are modeled as calls to a randomoracle, and uses those queries to extract the receiver’s inputs.However, the queries need not occur before the receiver has sentits last message, and so there is no guarantee that a maliciousreceiver will actually query the oracle. When Simplest OT iscomposed, it may be the case that the receiver’s inputs arerequired for simulation before they are required by the receiveritself, in which case the protocol will be unsimulatable. Thisflaw has recently been noticed by a number of authors, andwe refer the reader to other works [35], [55], [56] for moredetailed discussions. Barreto et al. [56] propose to solve theproblem by adding a public-key verification process in theRandom Oracle Model. Rather than using expensive public-keyoperations, however, we specify that the receiver must proveknowledge of its output using only symmetric-key operations,ensuring that it does in fact hold that output, and thereforethat its input is extractable. As a consequence, our protocol isable to realize only an OT functionality (FSF-OT) that allowsfor selective failure by the sender, but we show that this issufficient for our purposes.

A. Verified Simplest OT

We begin by describing the VSOT protocol. Because Aliceand Bob participate in this protocol with their roles reversed,relative to the usual arrangement, we refer to the participantssimply as the sender and receiver in this section. The protocolcomprises four phases. In the first, the sender generates aprivate/public key pair, and sends the public key to the receiver.In the second phase, the receiver encodes its choice bit andthe sender generates two random pads based upon the encodedchoice bit in such a way that the receiver can only recoverone. The third phase is a verification, which is necessary toensure that the protocol is simulatable. Finally, the pads areused by the sender to mask its messages for transmission to thereceiver in the fourth phase. This protocol realizes the FSF-OT

functionality, which is given in Appendix B.

Protocol 7. Verified Simplest OT (πVSOT):This protocol is parameterized by the Elliptic curve (G, G, q),and symmetric security parameter κ = |q|. It relies upon theFRDL

ZK functionality, and makes use of a hash function H . Ittakes as input a choice bit ω ∈ {0, 1} from the receiver, andtwo messages α0, α1 ∈ Zq from the sender. It outputs one

15

message αω ∈ Zq to the receiver, and nothing to the sender.Public Key:

1) The sender samples b← Zq, computes B ..= b ·G, andtransmits B to the receiver.

2) The sender submits (prove, b, G) to the FRDL

ZK function-ality. The receiver submits (prove, B,G), and receivesa bit indicating whether the proof was sound. If it wasnot, the receiver aborts.

Pad Transfer:3) The receiver samples a ← Zq, and then computes its

encoded choice bit A and the pad ρω

A ..= a ·G+ ω ·Bρω ..= H (a ·B)

and sends A to the sender.4) The sender computes two pads

ρ0 ..= H (b ·A)ρ1 ..= H (b · (A−B))

Verification:5) The sender computes a challenge

ξ ..= H(H(ρ0))⊕H(H(ρ1))

and sends the challenge ξ to the receiver.6) The receiver computes a response

ρ′ ..= H(H(ρω))⊕ (ω · ξ)

and sends ρ′ to the sender.7) The sender aborts if ρ′ 6= H(H(ρ0)). Otherwise, it

opens its challenge by sending H(ρ0) and H(ρ1) to thereceiver.

8) The receiver aborts if the value of H(ρω) it receivedfrom the sender does not match the one it calculateditself, or if

ξ 6= H(H(ρ0))⊕H(H(ρ1))

Message Transfer:9) The sender pads its two messages α0, α1, and transmits

the padded messages α̃0, α̃1 to the receiver

α̃0 ..= α0 + ρ0

α̃1 ..= α1 + ρ1

10) The receiver removes the pad from its chosen message

αω = α̃ω − ρω

For simplicity, we describe VSOT as requiring one completeprotocol evaluation per OT instance. However, if (public)nonces are used in each of the hash invocations, then thePublic Key phase can be run once and the resulting (single)public key B can be reused in as many Transfer and Verificationphases as required without sacrificing security. Further notethat if the messages transmitted by the sender are specifiedto be uniform, then the sender can actually omit the Message

Transfer phase entirely and treat the pads ρ0, ρ1 as messages,receiving them as output instead of supplying them as input.Likewise, the receiver treats its one pad ρω as its output. Thiseffectively transforms VSOT into a Random OT protocol. Wemake use of both of these optimizations in our implementation.

B. Correlated OT-extension with KOS

Our multiplication protocol requires the use of a large numberof OT instances where the correlation between messages isspecified, but the messages must otherwise be random. There-fore, rather than using VSOT directly, we layer a CorrelatedOT-extension (COTe) protocol atop it. This is essentially aninstantiation of the KOS protocol; thus we include a protocoldescription here for completeness, but refer the reader to Kelleret al. [34] for a more thorough discussion. Being a CorrelatedOT protocol, it allows the sender to define a correlation betweenthe two messages, but does not allow the sender to determinethe messages specifically. As with all OT-extension systems,it is divided into a setup protocol, which uses some base OTsystem to generate correlated secrets between the two parties,and an extension protocol, which uses these correlated secretsto efficiently perform additional OTs. These protocols realizethe Correlated Oblivious Transfer functionality F`COTe, whichis given in Section VI.

Protocol 8. KOS Setup(πSetupKOS

):

This protocol is parameterized by the curve order q and thesymmetric security parameter κ = |q|. It depends upon theOT Functionality FSF-OT, and takes no input from either party.Alice receives as output a private OTe correlation ∇ ∈ {0, 1}κand a vectors of seeds s∇ ∈ Zκq , and Bob receives two vectorsof seeds s0 and s1 ∈ Zκq .Setup:

1) Alice samples a correlation vector, ∇← {0, 1}κ.2) For each bit ∇i of the correlation vector, Alice and Bob

access the FSF-OT functionality, with Alice acting as thereceiver and using ∇i for her choice bit and Bob actingas the sender. Bob samples two random seed elementss0i ← Zq and s1

i ← Zq and Alice receives as output asingle seed element s∇ii .

3) Alice and Bob collate their individual seed elementsinto vectors, s∇ and s0, s1 respectively, and take thesevectors as output.

Protocol 9. KOS Extension(πExtendKOS

):

This protocol is parameterized by the OT batch size `, the OTsecurity parameter κOT, the curve order q, and the symmetricsecurity parameter κ = |q|. For notational convenience, let`′ = `+ κOT. It makes use of the pseudo-random generatorPrgZ : Zκq 7→ Z2`′ , which expands its argument and thenoutputs the chunk of `′ bits indexed by the value given as asubscript, and it makes use use of the hash function H . Theprotocol also uses a fresh, public OT-extension index, idext.Alice supplies a vector of input integers, α ∈ G1 × G2 ×. . .×G`, along with her private OTe correlation ∇ ∈ {0, 1}κ

16

and seed s∇ ∈ Zκq , which she received during the KOS setupprotocol. Bob supplies a vector of choice bits ω ∈ {0, 1}`along with his seeds s0 and s1 ∈ Zκq from the OT setup.Alice and Bob receive tA and tB ∈ G1 ×G2 × . . .×G` asoutput.Extension:

1) Bob chooses γext ← {0, 1}κOT

and collates w ..= ω‖γext.We use w to indicate w interpreted as a single value inZ2`′ . That is, Bits(w) = w.

2) Bob computes two vectors of PRG expansions of hisOT-extension seeds

v0 ..={Prgidext(s

0i )}i∈[1,κ]

v1 ..={Prgidext(s

1i )}i∈[1,κ]

and Alice computes a vector of expansions of hercorrelated seed

v∇ ..={Prgidext(s

∇ii )}i∈[1,κ]

3) Bob collates the vector ψ ∈ Z`′q , which is the transposeof v0. That is, the first element of ψ is the concatenationof the first bits of all of the elements of v0, and so on.More formally if we define a matrix

V ∈ {0, 1}κ×`′

then the relationship is given by

Vi = Bits(v0i ) ∀i ∈ [1, κ]

Vj = Bits(ψj) ∀j ∈ [1, `′]

4) Bob computes the matrix

u ..={

v0i ⊕ v1

i ⊕ w}i∈[1,κ]

and then he computes a matrix of pseudo-randomelements from Zq

χ ..= {H (j‖u)}j∈[1,`′]

which he uses to create a linear sampling of w and ψ

w′ ..=⊕

j∈[1,`′]

wj · χj

v′ ..=⊕

j∈[1,`′]

ψj ∧ χj

Finally, he sends w′, v′, and u to Alice.5) Alice computes the vector

z ..={

v∇ii ⊕ (∇i · ui)}i∈[1,κ]

and collates the vector ζ, which is the transpose of zin exactly the way that ψ is the transpose v0. She alsocalculates χ in the same manner as Bob

χ ..= {H (j‖u)}j∈[1,`′]

Finally, she computes

z′ ..=⊕

j∈[1,`′]

ζj ∧ χj

and if z′ 6= v′ ⊕(∇∧ w′

), where ∇ is ∇ reinterpreted

as an element in Z2κ , then Alice aborts.Transfer:

6) Alice computes

tA ..={H |αj |/κ(j‖ζj)

}j∈[1,`]

τ ..={H |αj |/κ(j‖(ζj ⊕∇))− tAj +αj

}j∈[1,`]

and sends τ to Bob7) Bob computes

tB ..=

{−H |τ j |/κ(j‖ψj) if wj = 0

τ j −H |τ j |/κ(j‖ψj) if wj = 1

j∈[1,`]

APPENDIX BADDITIONAL FUNCTIONALITIES

In this section, we present the additional functionalities onwhich our protocols rely. As before, we omit notation forbookkeeping elements that we do not explicitly use such assession IDs and party specifiers, which work in the ordinaryway; we also assume that if messages are received out of orderfor a particular session, the functionality aborts. We beginwith a Selective-failure OT functionality, which differs fromthe traditional OT functionality in that it allows the sender toguess the receiver’s choice bit. If the sender’s guess is incorrect,the functionality alerts both parties, and if the sender’s guessis correct, then the sender is notified while the receiver is not.

Functionality 5. FSF-OT:This functionality is parameterized by the group order q andruns with two parties, a sender and a receiver.Choose: On receiving (choose, ω) from the receiver, store(choice, ω) if no such message exists in memory and send(chosen) to the sender.Guess: On receiving (guess, ω̂) from the sender, if ω̂ ∈{0, 1,⊥} and if (choice, ω) exists in memory, and if(guess, ·) does not exist in memory, then store (guess, ω̂)in memory and do the following:

1) If ω̂ = ⊥, send (no-cheat) to the receiver.2) If ω̂ = ω, send (cheat-undetected) to the sender and

(no-cheat) to the receiver.3) Otherwise, send (cheat-detected) to both the sender

and receiver.Transfer: On receiving

(transfer, α0, α1

)from the sender,

if α0 ∈ Zq and α1 ∈ Zq, and if (complete) does notexist in memory, and if there exist in memory messages(choice, ω) and (guess, ω̂) such that ω̂ = ⊥ or ω̂ = ω, thensend (message, αω) to the receiver and store (complete) inmemory.

17

Finally, we give functionalities for zero-knowledge proofs-of-knowledge-of-discrete-logarithm. The first corresponds toan ordinary proof, whereas the second allows the prover tocommit to a proof that will later be revealed. Note that these arestandard constructions, except that they operate with groups ofparties, and all parties aside from the prover receive verification.

Functionality 6. FRDL

ZK :The functionality is parameterized by the group G of orderq generated by G, and runs with a group of parties P suchthat |P| = n.Proof: On receiving (prove, x,Bi) from Pi where x ∈ Zqand Bi ∈ G, store this message and the index i. On receiving(prove, X,Bj

)from Pj where X,Bj ∈ G, if X = x ·Bi =

x·Bj , then send (accept, i) to Pj . Otherwise, send (fail, i)to Pj . Note that multiple parties Pj may participate.

Functionality 7. FRDL

Com-ZK:The functionality is parameterized by the group G of orderq generated by G, and runs with a group of parties P suchthat |P| = n.Commit Proof: On receiving (com-proof, x,Bi) from Pi,where x ∈ Zq and Bi ∈ G, store (com-proof, x,Bi) andsend (committed, i) to all parties.Decommit Proof: On receiving (decom-proof) from Pi,store this message in memory. On receiving

(prove, X,Bj

)from Pj where X,Bj ∈ G, if (com-proof, x,Bi) and(decom-proof) exist in memory, then:

1) If X = x ·Bi = x ·Bj , send (accept, i) to Pj .2) Otherwise send (fail, i) to Pj .

Note that multiple parties Pj may participate.

APPENDIX CEQUIVALENCE OF FUNCTIONALITIES

We argue that FSampledECDSA does not grant any additionalpower to Alice by showing that an adversary who is able toforge a signature by accessing FSampledECDSA can be usedto forge an ECDSA signature in the standard ExistentialUnforgeability experiment that defines security for signatureschemes (see Katz and Lindell [36] for a complete descriptionof the experiment). We are only concerned with arguing thatan ideal adversary interacting with FSampledECDSA as Alice isunable to forge a signature because Bob’s view in his idealinteraction with FSampledECDSA is identical to his view wheninteracting with FECDSA.

Our reduction is in the Generic Group Model, whichwas introduced by Shoup [47]. While there are well-knowncriticisms of this model [57]–[59], it has also shown itself tobe useful in proving the security of well-known constructionssuch as Short Signatures [60] and Short Group Signatures [61].Furthermore, this is the model in which ECDSA itself is provensecure [37].

In this model an adversary can perform group operations onlyby querying a Group Oracle G(·). More specifically, queriesof the following types are answered by the Oracle:

1) (Group Elements) When the Oracle receives an integerx ∈ Zq , it replies with an encoding of the group elementcorresponding to this integer. Returned encodings arerandom, but the Oracle is required to be consistent whenthe same integer is queried repeatedly. This correspondsto the scalar multiplication operation with the generatorin an ECDSA group: Y ..= x ·G.

2) (Group Law) When the Oracle receives a tuple of the form(r, s,G(x),G(y)), it replies with a random encoding of thegroup element given by G(r ·x+s ·y). As before, outputsmust be consistent. This corresponds to a fused multiply-add operation in an ECDSA group: Z ..= (r ·X + s · Y ),where X = x ·G and Y = y ·G.

As usual in this model, the reduction itself will control theGroup Oracle, and in particular it has the ability to programthe Oracle to respond to specific queries with specific outputs.FSampledECDSA

A is used to denote an Oracle version ofthe FSampledECDSA functionality accessible only as Alice. Inaddition to the previously defined FSampledECDSA behavior, thisOracle returns the signature σidsig to Alice upon receiving(sign, idsig, ·, ·). This models the realistic scenario whereinAlice obtains the output signatures, which we wish to capturein our reduction, even though the functionality does not outputthe signature to her on its own.

Claim C.1. If there exists a probabilistic polynomial timealgorithm A in the Generic Group Model with access to theFSampledECDSA

A oracle, such that

Pr

[Verifypk (m,σ) = 1 ∧m /∈ Q :

(m,σ)← AFSampledECDSAA

(pk)

]≥ p(κ)

where Q is the set of messages for which A sends queriesof the form (new, ·,m, ·) to the FSampledECDSA

A Oracle, andwhere the probability is taken over the randomness of theFSampledECDSA functionality, then there exists an adversary Asuch that

Prpk,sk

[Verifypk (m,σ) = 1 ∧m /∈ Q :

(m,σ)← ASignsk(·) (pk)

]≥ p(κ)− poly(κ)

2−κ

where Q is the set of messages for which A queries the signingoracle Signsk(·).

Proof sketch. Our reduction is structured in an intuitive way.For readability we refer to A as Alice in its interactions withFSampledECDSA

A, and we note that A can only interact withAlice on behalf of the FSampledECDSA

A Oracle. First, A forcesAlice to accept the same public key that it received externallyin the forgery game, and then, for each query Alice makesto her FSampledECDSA

A oracle, A can request a correspondingsignature from the Signsk oracle under the same secret key.The nonce Rsig in the signature received from Signsk will notmatch the nonce R that Alice instructs the FSampledECDSA

A

oracle to use. However, A can take advantage of the fact thatFSampledECDSA

A is allowed to offset the nonce R by a randomvalue k∆ of its choosing. A sets k∆ so that k∆ ·G is exactly

18

the difference between R and Rsig. Computing k∆ directlywould require A to know the discrete log of the Rsig valueit was given by the Signsk oracle; instead, A uses its abilityto program the Group Oracle to ensure that G(k∆) is thedifference between R and the corresponding Rsig. We describeASignsk(·) formally below.

Algorithm 6. ASignsk(·) (pk):1) Answer any query G(x) as x · G, and any queryG(r, s,G(x),G(y)) as r ·G(x)+s ·G(y) unless otherwiseexplicitly programmed at those points.

2) Send (public-key, pk) to Alice.3) When a message of the form (new, idsig,m,B) is

received from Alice, sample kidsig

B ← Zq, calculateDB

..= kidsig

B ·G, store (sig-message, idsig,m, kidsig

B ) inmemory, and reply to Alice with

(nonce-shard, idsig, DB)

4) When a message of the form (nonce, idsig, i, Ri,idsig) isreceived from Alice, if (sig-message, idsig,m, kid

sig

B )exists in memory:

a) Query the Signing Oracle with the message m toobtain a signature(

sigidsig,i, Rsigidsig,i

)= σidsig,i ← Signsk (m)

Note that the oracle will only return the x-coordinateof Rsig

idsig,i, but recovering the point itself is easy. Store

(sig-signature, idsig, σidsig,i) in memory.b) Sample k∆

idsig,i← Zq , then compute

K∆idsig,i

..= Rsigi,idsig

−Ri,idsig

and program the Group Oracle such that

G(k∆idsig

)= K∆

idsig,i

c) Compute

k∆idsig,i,A = (1/kid

sig

B ) · k∆idsig

and program the Group Oracle such that

G(k∆idsig,i,A) = (1/kid

sig

B ) ·K∆idsig,i

d) Send (offset, idsig, k∆idsig,i,A

) to Alice.

5) When a message of the form (sign, idsig, i, kA) isreceived from Alice, if (sig-signature, idsig, σidsig,i)and (sig-message, idsig,m, kid

sig

B ) exist in memory, andkA · kid

sig

B · G = Rsigiidsig

, but (sig-complete, idsig) doesnot exist in memory, respond with σidsig,i and store(sig-complete, idsig) in memory.

6) Once Alice outputs a forged signature sig∗, output thissignature.

Notice that this reduction fails if Alice queries G on anindex k∆

idsig,i,Afor any idsig and any i before A programs it,

or if she queries it on an index kidsig

B for any idsig at any time.

By a standard argument, this event occurs with probabilitypoly(κ)/2κ. If these queries are not made, the reduction isperfect and the claim follows.

APPENDIX DPROOF OF SECURITY FOR OBLIVIOUS TRANSFER

In this section, we argue for the UC-security of the πVSOT

protocol discussed in Appendix A, and later discuss thesecurity of the KOS OT-extension protocol when considered incombination with the FSF-OT functionality that πVSOT realizes.

Theorem D.1. Assuming that the Computational Diffie-Hellman problem is hard in G, the protocol πVSOT UC-realizesthe FSF-OT functionality in the FRDL

ZK -hybrid model in thepresence of a statically corrupted malicious party, where H ismodeled as a non-programmable random oracle.

Proof sketch. We now provide simulators for πVSOT, alongwith an argument for their indistinguishably from the protocol.First, we will consider the case of security against malicioussender; later, we argue security against a malicious receiver.

Simulator 1. VSOT against Sender(SSVSOT

):

This simulator interposes between a malicious sender and thecorresponding ideal functionality FSF-OT. It is parameterizedby the symmetric security parameter κ. It outputs the sender’smessages α0 and α1. It makes use of the random oracle H ,and plays the role of FRDL

ZK in its interactions with the sender.Public Key:

1) Receive (prove, b, B) from the sender on behalf of FRDL

ZK

and forward it to FRDL

ZK . On receiving (accept, i, B), for-ward it to the sender. If FRDL

ZK responds with (fail, i, B),then abort.

Pad Transfer:2) Upon receiving (chosen) from FSF-OT, sample A← G.

Send A to the sender and calculate ρ0 and ρ1

ρ0 ..= H(b ·A)ρ1 ..= H(b · (A−B))

Verification:3) Compute sender’s expected challenge

ξexp ..= H(H(ρ0))⊕H(H(ρ1))

Upon receiving the sender’s actual challenge ξ, ifξ = ξexp, then set ω̂ ..= ⊥ and send (guess, ω̂) toFSF-OT and ρ′ ..= H(H(ρ0)) to the sender. Otherwise,let Q denote the set of all queries that the sender hasmade to the random oracle thus far. If there exists aquery Qi ∈ Q such that H(Qi) = ξ ⊕H(H(ρ1)), thenset ω̂ ..= 1. Otherwise, set ω̂ ..= 0. Send (guess, ω̂)to FSF-OT and receive either (cheat-detected) or(cheat-undetected), indicating whether the sendersucceeded in guessing the receiver’s input. If the senderhas succeeded and (cheat-undetected) is received,

19

send ρ′ ..= H(H(ρω̂)) to the sender. Otherwise, sendρ′ ..= H(H(ρ

¯̂ω)) to the sender and halt.Transfer:

4) Upon receiving α̃0 and α̃1, compute the sender’s inputs

α0 ..= α̃0 − ρ0

α1 ..= α̃1 − ρ1

Finally, send(transfer, α0, α1

)to FSF-OT.

The first message received by the sender comprises A =a ·G+ω ·G in the real world, and A = a ·G in the simulation.Because a is picked uniformly in both views, the two aredistributed identically. Given A and B, an honest sendercomputes ρ0 and ρ1 as ρ0 ..= b · A and ρ1 ..= b · A · B−1.Having received b on behalf of FRDL

ZK , the simulator can alsocompute these values, and thus can check whether the valueof ξ that it receives is correct. We now consider the sender’sview when ξ is not correct.

During the verification phase, the sender is required to openthe two values (H(ρ0) and H(ρ1)) that produce ξ. Only oneof these values, H(ρω), will be known to the receiver. Notethat this is the the sender’s opportunity to induce a selectivefailure: the sender can guess which value the receiver has, andsubstitute a random value for the opposite one when calculating(and later opening) ξ. If the receiver does not abort, the sender’sguess was correct. However, a corrupt sender can guess a well-formed triple of values H(ρ0), H(ρ1), and ξ without callingH(H(ρ0)) and H(H(ρ1)) with a probability of 2−κ, and ifthe triple is not well-formed, then the receiver will alwaysabort in the real world. This forces the sender to query therandom oracle, and its queries can be used by the simulatorto determine the sender’s guess ω̂. This is forwarded to thefunctionality, which informs the simulator whether the guessis correct. From this point, the simulator replies with exactlythe same values and aborts under exactly the same conditionsas the protocol in the real world. Therefore, the view of amalicious sender when executing πVSOT in the real world isdistinguishable from the view of a malicious sender wheninteracting with SSVSOT with probability no greater than 2−κ.

Now we consider security against a malicious receiver. Forthis section of the proof sketch, we need an additional lemma

Lemma D.2 ( [33], [62] ). Let q be the order of a group Ggenerated by G, whose elements are represented in κ = |q|bits. If there exists a PPT algorithm A such that:

Pr[A(1κ, x ·G) = x · x ·G : x← Zq] = ε

where the probability is taken over the choice of x, then thereexists an algorithm A′ which solves the Computational Diffie-Hellman problem in G with advantage ε2.

Simulator 2. VSOT against Receiver(SRVSOT

):

This simulator interposes between a malicious receiverand the corresponding ideal functionality FSF-OT, and is

parameterized by the symmetric security parameter κ. Itoutputs the receiver’s choice bit ω and the correspondingchosen message αω. It makes use of the random oracle Hand the functionality FRDL

ZK .Public Key:

1) Sample b ← Zq and compute B ..= b · G. Send(accept, i, B) to the receiver on behalf of FRDL

ZK .Pad Transfer:

2) Receive A from the receiver and compute ρ0, ρ1 as anhonest sender would.

3) Observe receiver’s random oracle queries. If receiverever queries b · A, then set ω ..= 0. If receiver everqueries b · (A−B), then set ω ..= 1. Once ω is set, send(choose, ω) to FSF-OT and receive (no-cheat).

Verification:4) Run the verification phase as an honest sender would.

Transfer:5) Upon receiving (message, αω), compute the two padded

messages α̃ω , α̃ω̄ , and send them to the receiver.

α̃ω ..= αω + ρω

α̃ω̄ ← Zq

Fixing B = b · G (which is chosen by the simulator onbehalf of the sender) and A (which is chosen and transmittedby the receiver) also fixes the two pads, ρ0 = H(b · A) andρ1 = H(b · (A−B)). The receiver cannot derive ρω withoutquerying the random oracle, except with probability 2−κ. Thesimulator observes the receiver’s queries and checks for equalitywith either b·A or b·(A−B) in order to determine the receiver’schoice bit. If the receiver manages to query both values, thenthe simulator cannot determine its choice bit. We argue thatif the receiver can do so with non-negligible probability, thenit can be used to compute x · x · G given X = x · G withnon-negligible probability in the following way.

Given a uniformly drawn challenge X = x · G, we cangenerate the receiver’s view with B = X (which has the correctdistribution). We have assumed that the receiver manages toquery both b · A = x · A and b · (A − B) = x · (A − X) =x · A − x · X , and we have assumed that the receiver canmake at most polynomially-many queries to the random oracle.Thus, we can choose any two of the receiver’s random oraclequeries, and with probability 1/poly(κ) their difference willbe equal to x · x ·G. By Lemma D.2, successfully computingx·x·G given X = x·G with non-negligible probability impliesbreaking the Computational Diffie-Hellman assumption.

The rest of the simulator behaves exactly as the protocoldoes, and the values it produces are identically distributed totheir real-world counterparts. Thus, the view produced by thesimulator is computationally indistinguishable from the viewof the receiver in a real-world protocol if the CDH problem ishard in G.

Remark. It is easy to extend the above protocol to implement aSelective-Failure OT functionality that supports the sending ofarbitrary sender-chosen messages (instead of the functionality

20

choosing the messages) via the standard reduction fromRandom OT to OT; that is, by using the sender’s output fromthe Random OT to encrypt the messages that it wants to send.Interestingly, this comes at the cost of no additional rounds. Weobserve that the resulting Selective Failure OT protocol can beproven secure in the Global Random Oracle Model of Canettiet al. [63], in spite of the fact that if the functionality FRDL

ZK isinstantiated with the Fischlin Transform [49], as is required toachieve non-interactivity and UC-security simultaneously, thenit typically requires the random oracle to be programmed whensimulating against a corrupt verifier. In our case, the value B(for which the prover is required to prove knowledge of discretelogarithm in Step 2 of πVSOT) is chosen by the simulator itselfwhen simulating against the verifier. Consequently, SRVSOT cansimply run the honest prover’s code to generate a proof, withoutprogramming the random oracle at any point. In the contextof the security reduction to the Computational Diffie-HellmanAssumption for the receiver that we have given above, it isnecessary to simulate FRDL

ZK in the traditional way, and thereforeto program the random oracle. This is not a problem, as it islegal to program the (global) random oracle in a reduction.

Finally, we note that our implementation of πVSOT reuses thefirst message of the sender across multiple parallel instances,which, as discussed by Chou and Orlandi [33] realizes thesame functionality adjusted for multiple messages.

Lemma D.3. The OT Extension protocol of Keller et al. [34](πSetup

KOS and πExtendKOS ) UC-realizes the F`COTe functionality in

the FSF-OT-hybrid model where H is modeled as a non-programmable random oracle.

Proof sketch. As these protocols are nearly exactly the sameas in Keller et al. [34], their analysis applies unmodified. Weobserve that weakening the OT functionality used by Keller etal. to our Selective Failure OT functionality does not allow themalicious receiver in their protocol any additional advantage.For each (guess, ω̂) message that a malicious receiver sendsto FSF-OT in our protocol, a malicious receiver in the protocolof Keller et al. would send (m0,m1) with mω̂ = ⊥. We recallthat the receiver is allowed to learn c bits of the sender’s privatecorrelation ∇, however at the risk of alerting the sender of acheat with probability 1−2−c (as the sender’s input to FSF-OT

is uniform). As the correlation ∇ is broken in the Extend ofthe protocol phase by being passed through a random oracle,the receiver’s overall success probability in making a correctrandom oracle query (corresponding to the key she is notsupposed to derive) is poly(κ)/2κ.

Remark. We observe that the OT extension protocol of Kelleret al. can be simulated without programming the randomoracle. Therefore, when instantiated with our πVSOT protocol,it realizes the F`COTe functionality in the Global RandomOracle Model under only the Computational Diffie-Hellmanassumption. To our knowledge, this is the first realization ofOT extension in this model and under this assumption.

APPENDIX EPROOF OF SECURITY FOR MULTIPLICATION

In this section, we prove that the multiplication protocolπMul realizes the FMul functionality in the Global RandomOracle Model [63] under the Universal Composability (UC)paradigm. For a definition of UC-security, we refer the readerto the seminal work of Canetti [64]. In Appendix E-A we proveLemma E.2, which states that the view of Alice in πMul issimulatable, and in Appendix E-B, Lemma E.4 makes a similarclaim with regard to the view of Bob. By the conjunction ofthese two lemmas, we claim Theorem E.1.

Theorem E.1. The protocol πMul UC-realizes the functionalityFMul in the F`COTe-hybrid Random Oracle Model, in thepresence of a malicious adversary statically corrupting eitherparty.

A. Simulating Against Alice

Simulator 3. Multiplication against Alice(SAMul

):

This simulator interposes between a malicous Alice and thecorresponding ideal functionality FMul. It is parameterized bythe statistical security parameter s and the symmetric securityparameter κ, with ` = 2κ+2s. It also makes use of a gadgetvector g of the same form as that used by πMul. It plays therole of the functionality F`COTe in its interaction with Alice,and it can both observe Alice’s queries to the random oracleH , and program the oracle’s responses.Init:

1) Receive message (init) from Alice on behalf of F`COTe

and send (init) to FMul.Multiplication:

2) Upon receiving (bob-ready, idmul, tA) from FMul, send(chosen, idmul) to Alice on behalf of F`COTe.

3) Receive (transfer, idmul, {αi‖α̂i}i∈[1,`]) from Aliceon behalf of F`COTe, and receive her messages u and r.Engage in the coin tossing protocol (corresponding toStep 4 of πMul) with Alice to derive the values χ and χ̂.

4) For each i ∈ [1, `], compute

∆i..= χ ·αi + χ̂ · α̂i − u

Next, compile a list I of the locations where Alice hascheated. If, for any i ∈ [1, `],

∆i 6= 0 ∨ ri 6= χ · tAi + χ̂ · t̂Ai

then append i to I and compute

ω̃i ..=ri − (χ · tAi + χ̂ · t̂Ai)

∆i

If there exists any index i such that ω̃i is defined but notin {0, 1}, then abort by setting δ ..= 0 and c ..= κ andskipping to Step 6. Otherwise, set c ..= |I| so that theFMul functionality will abort with probability 1− 2−|I|.

21

5) Choose any index i ∈ [1, `] such that χ ·αi+ χ̂ · α̂i = uand let α ..= αi. If no such index exists, then abort bysetting δ ..= 0, c ..= κ and skipping to Step 6. Otherwise,compute the additive offset

δ ..=∑i∈I

ω̃i · gi · (αi − α)

6) Send (input, idmul, α, δ, c) to FMul and halt

Lemma E.2. The view produced by SAMul and the view ofa malicious Alice in a real execution of the protocol πMul

are indistinguishable to any probabilistic polynomial timeadversary in the F`COTe-hybrid Random Oracle Model, exceptwith negligible probability.

Proof. Our proof of Lemma E.2 will proceed via a sequenceof hybrid experiments. The information in Alice’s view ischaracterized by the values tA and t̂A that she receives as outputfrom F`COTe upon sending it α and α̂. The joint distributionof outputs over which distinguishability is considered for thepurpose of this proof includes tA and tB, as well as a bitindicating whether Bob has been induced to abort.

For our first hybrid, we will need a lemma concerningthe distribution of encodings of Bob’s input. Recall that Bobencodes his input using Algorithm 4:

Algorithm 4. Encode(gR ∈ Zκ+2sq , β ∈ Zq):

1) Sample γ ← {0, 1}κ+2s

2) Output Bits (β − 〈gR,γ〉) ‖γ

We wish to show that it is hard to guess an encoding ω ←Encode(gR, β), even given β. A guess comprises a vector ω̂ ∈{0, 1,⊥}`, where ` = 2κ+ 2s is the size of an encoding, andthe ⊥ symbol indicates that no guess is made for a particular bit.A guess matches an encoding if and only if ω̂i = ωi∨ ω̂i = ⊥for all indices i ∈ [1, `].

Lemma E.3. Given gR ← Zκ+2sq , it holds with overwhelmingly

high probability that for all values β ∈ Zq and ω̂ ∈ {0, 1,⊥}`such that g = |{ω̂i ∈ ω̂ : ω̂i 6= ⊥}|,

Pr [Encode(gR, β) matches ω̂] ≤ 2−g + 2−s

where the probability is taken over the randomness of theencoding.

Proof. Let gL be the number of guessed bits that correspond tothe first κ bits of the encoding (i.e. the term Bits(β−〈gR,γ〉)),and let gR be the number of guessed bits that correspond to theremaining bits (i.e. the term γ), such that g = gL + gR. Sinceγ is chosen uniformly, the probability that any gR bits of γcan be guessed correctly is 2−g

R

. Impagliazzo and Naor [53,Proposition 1.1] show via the random choice of γ and theLeftover Hash Lemma [65] that the inner product 〈gR,γ〉has a statistical distance of at most 2(κ−|γ|)/2 with respectto the uniform distribution. We wish to know the probabilitythat gL bits of this inner product can be guessed correctly,

conditioned on gR bits of γ being guessed correctly. GuessinggR bits of γ correctly is equivalent to removing them (andtheir corresponding elements in gR) from the inner product;thus under this condition 〈gR,γ〉 has a statistical distance ofat most 2(κ−|γ|+gR)/2 with respect to the uniform distribution,and gL bits of the inner product can be guessed with probabilityat most 2−g

L

+ 2(κ−|γ|+gR)/2. It follows that the probabilityof guessing gL bits from the inner product and gR bits from γsimultaneously is at most

2−gR

·(2−g

L

+ 2(κ−|γ|+gR)/2)

and substituting |γ| = κ+ 2s, we have

2−gL−gR + 2−s−g

R/2 ≤ 2−g + 2−s

Hybrid H1 . This experiment is the same as a real-worldexecution of πMul except that Step 4 of SAMul is implemented todefine ∆, ω̃, and I, and the experiment aborts with probability1 − 2−|I| rather than aborting based on Step 6 of πMul. Theaddition of Step 4 of the simulator changes no variables inAlice’s view, and is used only to define the aforementionedvariables. We now argue that the abort events occurs withalmost the same probability in both H1 and the real worldexecution of πMul.

In the real experiment, Alice induces Bob to abort when,after we implement Step 4 of the simulator, there exists somei ∈ I such that ω̃i is defined and ω̃i 6= ωi. In the trivial case,when ω̃i 6∈ {0, 1}, Bob aborts with certainty. Otherwise, fori ∈ I, we have

ri = χ · tAi + χ̂ · t̂Ai + ω̃i ·∆i

χ · tBi + χ̂ · t̂Bi = ωi · (χ ·α+ χ̂ · α̂i)− (χ · tAi + χ̂ · t̂Ai)= (1− ω̃i)(u+ ∆i)− (χ · tAi + χ̂ · t̂Ai)= ωi · u+ ∆i − (χ · tAi + χ̂ · t̂Ai + ω̃i∆i)

= ωi · u+ ∆i − ri

6= ωi · u− ri

where the last line follows because ∆i 6= 0 when ω̃i is defined.Thus if Alice cheats in such a way that, for any i ∈ I, ω̃i 6= ωi,then Bob aborts, but if ω̃i = ωi for all i ∈ I, then she cheatsand is uncaught. Consequently, the probability that Alice cancheat without being caught in the real world is the same as theprobability that she correctly guesses Bob’s input ωi to F`COTe

at every location i ∈ I where she has cheated. By Lemma E.3,this probability is at most 2−|I| + 2−s. On the other hand,she sees an abort in H1 with probability 2−|I|. The advantageof a distinguisher in distinguishing this hybrid from the realprotocol is therefore at most 2−s.

Hybrid H2 . This experiment is the same as H1, except thefollowing instruction is added after Alice sends her secondmessage: Find any index i ∈ [1, `] such that χ ·αi+ χ̂ ·α̂i = u,and set α ..= αi. If no such index exists, or there exist twoindices i, j for which the condition holds, but αi 6= αj , thenabort.

22

This hybrid experiment differs from the last in that it abortsif there is not exactly one unique candidate for α, and thusa malicious Alice can distinguish H2 from H1 by inducingsuch a scenario without causing an abort. We argue that thisevent occurs with probability poly(κ)/2κ by analyzing bothconditions (no candidate, or too many candidates) and takinga union bound.

Consider the event in H1 when there is no candidate pair(αi, α̂i) such that χ · αi + χ̂ · α̂i = u, and yet no abort hasoccurred. This implies that ∆i 6= 0 (that is, Alice has cheatedat location i) for all indices i ∈ [1, `]. This event occurs withprobability 2−`.

Next, consider the event in H1 that there are two candidatepairs, with indices i and j. This implies that

χ · (αi −αj) + χ̂ · (α̂i − α̂j) = 0

Note that α and α̂ are fixed before χ, χ̂ are chosen, andthat for each selection of χ, there is only one χ̂ ∈ Zq thatsatisfies the equality. Because χ, χ̂ are chosen by hashing thetranscript in Step 4 of πMul, a malicious Alice may attempt toproduce different transcripts in order to satisfy this equality.Each random oracle query made by Alice succeeds in satisfyingthe condition with probability 2−κ; thus, Alice succeeds withprobability no greater than poly(κ)/2κ.

Hybrid H3 . This hybrid is the same as the previous one,except that instead of using Step 7 of πMul to define Bob’soutput of the computation tB, define Bob’s output as

tB ..= α · β + δ − tA

where

tA ..=∑i∈[1,`]

gi · tAi

δ ..=∑i∈I

ω̃i · gi · (αi − α)

and where α, ω̃, and I are defined as in H2. Note that, asbefore, if ω̃i 6= ωi for any i ∈ I, then an abort occurs. Thisessentially implements Step 5 of SAMul.

Recall that tAi + tBi = αi · ωi and that the final outputshares tA and tB maintain the following relation

tA + tB =∑i∈[1,`]

gi · tAi +∑i∈[1,`]

gi · tBi =∑i∈[1,`]

gi ·αi · ωi

Thus, if no abort occurs, then we have

tA + tB =∑i∈[1,`]

gi ·αi · ωi

= α ·∑i∈[1,`]

gi · ωi +∑i∈I

gi · ω̃i · (αi − α)

= α · β + δ

which is the relation claimed at the beginning of this hybrid.This hybrid is therefore distributed identically to H2.

Hybrid H4 . Implement the remaining steps in SAMul. Thesechanges are merely syntactic, and thus Alice’s view in H4 isidentical to her view in H3.

The view produced by SAMul is therefore indistinguishablefrom a real execution to a probabilistic polynomial timeadversary corrupting Alice, with overwhelming probability.

B. Simulating Against Bob

Simulator 4. Multiplication against Bob(SBMul

):

This simulator interposes between a malicous Bob and thecorresponding ideal functionality FMul. It is parameterized bythe statistical security parameter s and the symmetric securityparameter κ, with ` = 2κ+2s. It also makes use of a gadgetvector g of the same form as that used by πMul. The simulatorplays the role of the functionality F`COTe in its interactionwith Bob, and it can observe Bob’s queries to the randomoracle H .Init:

1) Receive message (init) from Bob on behalf of F`COTe

and send (init) to FMul.2) Send (init-complete) to Bob on behalf of F`COTe

upon receipt of (init-complete) from FMul.Multiplication:

3) Receive (choose, idmul,ω) from Bob on behalf ofF`COTe and compute

β ..=∑i∈[1,`]

gi · ωi

4) Send (input, idmul, β) to FMul

5) On receipt of (output, idmul, tB) from FMul, uniformlysample t̂B, tB ← Z`q such that∑

i∈[1,`]

tBi = tB

6) Send (padded-correlation, idmul, {tBi||̂tBi}i∈[1,`])to Bob on behalf of F`COTe.

7) Engage in the coin flipping protocol (corresponding toStep 4 of πMul) to compute χ and χ̂ as Alice would.

8) Sample u← Zq , and for each i ∈ [1, `], compute

ri ..= χ · tBi + χ̂ · t̂Bi − ωi · u

9) Send Bob the values u and r and halt.

Lemma E.4. The view produced by SBMul and the view of amalicious Bob in a real execution of the protocol πMul aredistributed identically in the F`COTe-hybrid Random OracleModel.

Proof. The information in Bob’s view is characterized by theoutputs tB and t̂B that he receives from F`COTe upon sendingω, and by the messages u and r that he receives from Alice.

23

As per the description of the F`COTe functionality, its outputsmaintain the following relations for all i ∈ [1, `]

tAi + tBi = ωi · α and t̂Ai + t̂Bi = ωi · α̂

In the real world, tA and t̂A are chosen uniformly at randomby F`COTe, and thus tB and t̂B are distributed uniformly as well.In the simulation, on the other hand, tB is chosen uniformlyby FMul, and then tB and t̂B are chosen uniformly by thesimulator, subject to ∑

i∈[1,`]

tBi = tB

Thus, by the relationships above, the values tA and t̂A are alsodistributed uniformly in the simulation, and all of these valuesare distributed identically in the real and simulated views.

In both the real and simulated views, α̂ is chosen uniformly atrandom, and χ and χ̂ are derived from a coin flipping protocol.Consequently, u = χ ·α+ χ̂ · α̂ is distributed identically in bothviews. Finally, by correctness of the protocol, in the real worldr is consistent with the following relation, for all i ∈ [1, `]

ri + ωi · u = χ · tBi + χ̂ · t̂BiIn the simulation, the value ω is received as on behalf of F`COTe,u is chosen by the simulator, χ, χ̂ are public, and tB and t̂Bare chosen by the simulator. The simulator can therefore solvefor r, and given that the distribution of the former values isidentical to their distribution in the real world, the resultingdistribution of r must be identical to the real-world distributionas well. The views produced by real and simulated executionsof πMul are therefore distributed identically to an adversarythat corrupts Bob.

APPENDIX FPROOF OF SECURITY FOR 2-OF-n ECDSA

In this section, we prove the security of our setup and signingprotocols via reductions to the Computational Diffie-HellmanAssumption and to the security of ECDSA itself in the RandomOracle Model. As we are concerned with the security of ourthreshold signing system over the lifetime of a public key, andin consideration of the interactions of all participating parties,we specify a shell protocol which orchestrates a signing epoch,in which the parties perform a single setup as a group, followedby some number of signatures between pre-determined pairs.It is with respect to this shell protocol that we claim security.

Protocol 10. 2-of-n ECDSA(π2P-EpochnP-ECDSA

):

This protocol runs among a group of parties P of size n,where each party’s unique player index in [1, n] is knownto the other parties. It is parameterized by the union of theparameters of its subprotocols; specifically, by the groupG of order q generated by G, with κ = |q|, and by thestatistical security paramter s. It receives as input a vectorm ∈ {0, 1}∗×∗ of messages and a vector P ∈ P2×|m| ofpairs of parties to sign those messages, such that in each pairthe party with the smallest index always comes first. To eachparty, it outputs a vector of signatures. After the Setup phase,

the Sign phase can be run repeatedly by pairs of parties fromthis group.Setup (2-of-n):

1) The parties jointly run π2P-SetupnP-ECDSA with no inputs. Each

party Pi receives as output the joint public key pk anda point p(i) on the polynomial p.

Signing:2) For each entry mj in m, let (PA,PB) = Pj . Now PA

and PB (that is, Alice and Bob) run π2P-SignnP-ECDSA, supplying

p(A) and p(B) respectively, and both supplying mj . PB

receives the signature as output, and PA receives nothing.

Theorem F.1. Assuming that ECDSA is a Digital SignatureScheme and that the Computational Diffie-Hellman Problemis hard in elliptic curve groups, the protocol π2P-Epoch

nP-ECDSA UC-realizes the FSampledECDSA functionality among n parties in the(FMul,FRDL

ZK ,FRDL

Com-ZK)-hybrid Random Oracle Model and inthe presence of a single statically corrupted malicious party.

Proof. Our proof will be via a sequence of hybrid experimentsshowing that the view of a corrupted party P∗i when partici-pating in the real-world protocol π2P-Epoch

nP-ECDSA is computationallyindistinguishable from a view generated by the simulatorS2P-Epoch,inP-ECDSA , which accesses FSampledECDSA. Specifically, letZ denote the environment, which chooses the messages tobe signed, the pairs of parties that will sign them, and theorder in which signing will happen. The environment istreated as an adversary: it receives some nonuniform advicez and it can corrupt exactly one party, P∗i , from whom itreceives a transcript of the π2P-Epoch

nP-ECDSA protocol. In a real-world experiment, the honest parties (i.e. all parties exceptP∗i ) also evaluate the π2P-Epoch

nP-ECDSA protocol, using the inputschosen by Z . In an ideal-world experiment, the honest partiesinstead interact with FSampledECDSA, while P∗i interacts withS2P-Epoch,inP-ECDSA , which in turn interacts with FSampledECDSA as an

ideal-world adversary. When all interactions are complete, Zguesses whether P∗i has interacted with real counterparties, orwith the simulator; this guess is the output of the experiment. Ifwe denote by EXPTπ,A,Z (z) the outcome of the experimentEXPT involving the protocol π, the adversary A, and theenvironment Z which receives advice z, then the space ofreal-world experiments is given by

H0 ={REALπ2P-Epoch

nP-ECDSA,P∗i ,Z (z)}z∈{0,1}∗

We wish to show that

H0c≡{IDEALFSampledECDSA,S2P-Epoch,i

nP-ECDSA ,Z (z)}z∈{0,1}∗

Due to the length and complexity of this proof, we havedivided it into sections. In Appendix F-A, we give a hybrid inwhich the components of P∗i ’s transcript that are due to thesetup protocol π2P-Setup

nP-ECDSA are simulated. In Appendix F-B, wegive a further sequence of hybrids that replace the transcriptcomponents due to cases in which P∗i participates in the

24

signing protocol π2P-SignnP-ECDSA and plays the role of Alice. In

Appendix F-C, we likewise give a sequence of hybrids todeal with cases in which P∗i plays the role of Bob, at whichpoint P∗i ’s view is totally simulated, and the proof is complete.We begin by giving a master simulator, which correspondsto π2P-Epoch

nP-ECDSA and calls upon the simulators we introduce insubsequent sections.

Simulator 5. 2-of-n ECDSA against P∗i (S2P-Epoch,inP-ECDSA):

This simulator interposes between a malicious P∗i and theideal functionality FSampledECDSA. It is parameterized bythe union of the parameters of the simulators that it calls;specifically, by the group G of order q generated by G, withκ = |q|, and by the statistical security paramter s. It receivesas input a vector of messages m ∈ {0, 1}∗×∗ and a vector ofcounterparties P ∈ P |m| with which to sign those messages.Setup (2-of-n):

1) Run SSetup,inP-ECDSA against P∗i and receive the public keypk and P∗i ’s point p(i).

Signing:2) For each item mj in m, use the counterparty index Pj

to calculate the appropriate Lagrange coefficient, anduse this to reconstruct the secret key share t0i for signingwith Pj . If Pj > i, invoke S2P-Sign,A

nP-ECDSA against P∗i withmessage mj , secret key share t0i , public key pk, anda fresh signature id idsig. Otherwise, invoke S2P-Sign,B

nP-ECDSA

with the same inputs.

A. Simulating Setup

We begin by giving a simulator SSetup,inP-ECDSA, which interactswith FSampledECDSA and the corrupt party P∗i , and produces atranscript corresponding to an invocation of π2P-Setup

nP-ECDSA.

Simulator 6. 2-of-n Setup against P∗i (SSetup,inP-ECDSA):This simulator interposes between a malicious P∗i and theideal functionality FSampledECDSA, and it is parameterized bythe group G of order q generated by G, with κ = |q|. Itreturns as output P∗i ’s point p(i) on a shared polynomial p,and the public key pk. It makes use of the functionalitiesFRDL

ZK and FMul.Public Key Generation:

1) Send (init) to FSampledECDSA and receive(public-key, pk).

2) Receive(com-proof, ski, G′

)from P∗i on behalf of

FRDL

Com-ZK and receive pki from P∗i directly. Send{(committed, j)}j∈[1,i)∪(i,n] to P∗i on behalf ofFRDL

Com-ZK. If ski · G′ 6= pki, then choose the parties’public key fragments to be a set of uniform values{

pkj

}j∈[1,i)∪(i,n]

← Gn−1

Otherwise, set them to be a random n−1 element additivesharing of (pk− pki). That is, for j ∈ [1, i) ∪ (i, n],

sample pkj uniformly from G subject to∑j∈[1,i)∪(i,n]

pkj = (pk− pki)

Send {(accept, j, pkj)}j∈[1,i)∪(i,n] to P∗i on behalf ofFRDL

ZK and receive (decom-proof) from P∗i on behalfof FRDL

ZK . If ski ·G′ 6= pki, then abort.3) For j ∈ [1, i)∪ (i, n], sample pj(i)← Zq and send it toP∗i . Receive pi,j(j) from P∗i in response.

4) Pick any j ∈ [1, i) ∪ (i, n] and interpolate P∗i ’s polyno-mial pi as the line that passes through the points (0, ski)and

(j, pi,j(j)

).

5) Enumerate any inconsistent shares that Pi may have sent,and calculate the offset by which they are incorrect:

∆ ..={pi(j)− pi,j(j)

}j∈[1,i)∪(i,n]

6) Compute the expected public commitment to P∗i ’s shareof the secret key

T expi

..=∑j∈[1,n]

pj(i) ·G

7) For j ∈ [1, i)∪ (i, n], calculate the appropriate Lagrangecoefficients λi,j , λj,i for Shamir-reconstruction betweenP∗i and Pj , and then compute

Tj ..=

(pk− λi,j · T exp

i

)λj,i

+ ∆j ·G

and send Tj to P∗i .8) Receive Ti from P∗i , and abort if Ti 6= T exp

i or if thereexists any index j such that ∆j 6= 0.

Auxiliary setup:9) Interact with P∗i on behalf of FMul, receiving (init)

messages and replying with (init-complete) messages asappropriate.

Hybrid H1 . This hybrid experiment is the same as H0 exceptthat P∗i ’s invocation of π2P-Setup

nP-ECDSA is replaced by an executionof SSetup,inP-ECDSA. The simulation is perfect. Consider the case thatP∗i attempts to cheat by sending points along pi that do notrepresent a line, or that represent a line that does not passthrough ski. This implies that there must exist two parties j andj′ such that λj,j′ ·p(j)+λj′,j ·p(j′) 6= sk. In the real world, itfollows that λj,j′ ·Tj+λj′,j ·Tj′ 6= pk, and therefore the partiesj and j′ will abort. Because the simulator receives pi,j(j) andpi,j′(j

′), it can calculate the exact discrepancy that appears inthe real world and induce it into Tj and Tj′ , while aborting inexactly the correct cases. Note that because the values Tj andTj′ are randomized, only the relationships between them needbe simulated, and so we can choose an arbitrary point alongpi from which to calculate any discrepancies.

B. Simulating Against Alice

We now consider the view of P∗i in its evaluations ofπ2P-SignnP-ECDSA with parties Pj where j > i, and show via the series

of hybrids in this section that this view is indistinguishable

25

from that generated by the simulator S2P-Sign,AnP-ECDSA that interacts

with the ideal functionality FSampledECDSA. For any specific j,the roles played by P∗i and Pj are consistent and determinedonly by their indices. Furthermore, the post-setup interactionsof P∗i and Pj are independent of P∗i ’s interactions withany other honest parties. Consequently, we consider eachhonest Pj individually, and for each sequential instance ofthe signing protocol evaluated by P∗i and Pj we apply thefollowing hybrids to show that instance indistinguishable froma simulation. For readability and convenience, we refer to P∗ias Alice in this section.

Before we specify the hybrids in this section, let us discussthe manner in which a malicious adversary playing the role ofAlice can cheat, and the power that this cheating confers. Alicesends only one message to Bob, and her sole mechanism forcheating is the sending of inconsistent values in this message.Specifically, Alice has an instance key kA which is defined by

kA = H(k′A ·DB) + k′A

where k′A is chosen adversarially by her. She also has a secretkey share t0A, from which pk was calculated, and a pad φ, whichshe chooses uniformly. The values she uses in the protocol,however, are R′ and the multiplication input vectors α1,α2a,and α2b, all of which are functions of t0A, kA, and φ. We usea proof of knowledge to verify the relationship between R′

and kA, but in the case of the multiplication inputs, cheatingon her part will introduce additive offsets into the outputsof the multiplication protocol that depend directly on Bob’sprivate inputs. Any offset in the final signature will causeBob to abort, which Alice can avoid by subtracting an equaloffset from her final message: in this way, she can guess Bob’sinput and confirm that she is correct. We show that she isunable to do this with non-negligible probability unless shehas the power to break the Computational Diffie-Hellman orDiscrete Log Assumptions for Elliptice Curves. We use δ1,δ2a, and δ2b to signify the offsets Alice induces by cheatingin FMul, and we use δ3, δ4, δ5, and δsig to signify the offsetsshe induces directly in her subsequent messages, which shecan use to cancel out the previous offsets. The propagation ofthese values through Alice and Bob’s calculations in the realworld is illustrated in Figure 3.

Simulator 7. 2-of-n Signing against Alice (S2P-Sign,AnP-ECDSA):

This simulator interposes between a malicous Alice and thecorresponding ideal functionality FSampledECDSA. It receivesas input a message m, the signature id idsig, the public keypk, and Alice’s share of the secret key t0A. It is parameterizedby statistical security parameter s, and the group G of orderq generated by G, with κ = |q|. It plays the roles of thefunctionalities FMul and FRDL

ZK in their interactions with Alice,and can both observe Alice’s queries to the random oracleH and program its responses.Multiplication and Instance Key Exchange:

1) Send (newsig, idsig,m,B) to FSampledECDSA to begin anew signature with Bob as the counterparty, and receive

(nonce-shard, DB) in response. Forward DB to Alice.2) Observe Alice’s queries to the random oracle H , and

let her ith query be Ri. If Ri has never been queriedbefore, send (nonce, idsig, i, Ri) to FSampledECDSA,receive (offset, idsig, k∆

i,A) in response, and store(idsig, Ri, k

∆i,A) in memory. Program H to return k∆

i,A toAlice as the result of her query on Ri.

3) Upon receiving R′ from Alice, find (idsig, Rj, k∆j,A) in

memory such that Rj = R′. If such an entry exists inmemory, remember the index j and set R ..= R′ + k∆

j,A ·DB; otherwise, choose any value for j, let Rj

..= R′, andabort by skipping to Step 8.

4) Interact with Alice on behalf of FRDL

ZK . On receiving(prove, kA, DB) from her, if kA ·DB 6= R, then abortby skipping to Step 8.

5) Interact with Alice on behalf of FMul, and in do-ing so receive her multiplication inputs,

(α1, δ1, c1

),(

α2a, δ2a, c2a), and

(α2b, δ2b, c2b

), and her (uniform)

output shares t1A, t2aA , and t2b

A . Toss c1 + c2a + c2b coins,and if any of these coins return 1, or if α2a 6= t0A/kA,or if α2b 6= 1/kA, then abort by skipping to Step 8.Otherwise, compute and store φ = α1 − 1/kA.

Consistency Check, Signature, and Verification:6) Upon receiving ηφ from Alice, observe Alice’s queries

to the random oracle H , and denote her ith query as Γ 1i .

For each query on Γ 1i , check whether

φ?= ηφ −H(Γ 1

i )

Γ 1i

?= G+ φ · kA ·G− t1A ·R+ δ1 ·R

If no query exists such that these relations hold, abortby skipping to Step 8. Otherwise, let Γ 1 ..= Γ 1

i .7) Upon receiving ηsig from Alice, compute

δ2 ..= δ2a + δ2b

Γ 2 ..=(t1A − δ1

)· pk−

(t2A − δ2

)·G

sigA..= ηsig −H(Γ 2)

Finally, if

sigA 6= H(m) · t1A + rx · t2A −H(m) · δ1 − rx · δ2

then abort by skipping to Step 8. Otherwise send(sign, idsig, j, kA) to FSampledECDSA and halt withoutproceeding to Step 8.

Abort:8) Cause FSampledECDSA to abort by choosing any k∗A

such that k∗A · DB 6= R′, sending (sign, idsig, j, k∗A) toFSampledECDSA, and halting. Note that this step is onlyreached when Alice has cheated.

Hybrid H2 . This hybrid experiment implements Steps 3 and 4of S2P-Sign,A

nP-ECDSA. It is the same as H1, except that it aborts whenAlice sends a value of R′ to Bob for which she has not queriedto the random oracle. When she does send such an R′, H1 alsoaborts with overwhelming probability, since kA, her input to

26

abort if Verify(pk, σ) /= 1

tA1 t

B1 + δ1 t

B2 + δ2 := t

B2a

+ δ2a + t

B2b

+ δ2btA2 := t

A2a

+ tA2b

m' := H(m) m' := H(m)

sig := sigB+ m' · (δ1

− δ4/kB) + r

x · δ2+ηsig+ δsig −H(Γ

B2)

σ := (sig mod q, rx mod q)

Output σ ∈ (Zq,Z

q)

sigA := m' · t

A1

+ rx · tA2

ΓB1 := (t

B1 + δ1) · R

R' R := H(R' ) · DB

+ R'

(rx, r

y) = R(r

x, r

y) = R := k

A · D

B

ΓA1 := G + φ · k

A · G − t

A1 · R + δ3 · G

sigB+ m' · (δ1

− δ4/kB) + r

x · δ2 := m' · (θ + δ1

− δ4/kB) + r

x · (t

B2 + δ2)

ηsig+ δsig := H(ΓA2) + sig

A+ δsig ηsig+ δsig

ηφ + δ4 := H( Γ

A1 ) + φ + δ4 ηφ

+ δ4 φ + δ4 := ηφ + δ4

− H( ΓB1)

ΓB2 := (t

B2 + δ2) · G − (θ + δ1

− δ4/kB) · pkΓ

A2 := t

A1 · pk − t

A2 · G + δ5 · G

θ + δ1 − δ4/k

B := t

B1 + δ1

− (φ + δ4)/kB

(kA,DB) (R,D

B)

ZK-DL(x,B)

xB=X

(X,B)

? abort if 0

Alice Bob

Fig. 3: Illustrated Propagation of Noise and Offsets for a Malicious Alice in our 2-of-n Signing Scheme. Noise induced by inconsistenciesin the multiplication input vectors α1, α2a, and α2b is indicated with red text, and offsets chosen by Alice are indicated with blue text. Notethat both noise and offsets are defined relative to the ideal values of other variables derived from Alice’s canonical inputs.

the proof of knowledge, is derived from the oracle’s response.Alice can guess the correct value of kA with probability nogreater than 2−κ without querying the random oracle, and thusher statistical advantage in distinguishing H2 from H1 is 2−κ.

Hybrid H3 . This hybrid experiment is identical to H2, exceptthat it aborts if Alice does not query the random oracle onthe value Γ 1 = t1B · R, where t1B is computed as Bob wouldcompute it, using the information in his view. In the real world,Bob makes an identical query in order to decrypt ηφ and ηsig. IfAlice has not also queried the oracle on this point, she cannothave sent the correct encryptions except with probability 2−κ.Thus, H3 is distinguishable from H2 with probability 2−κ.

To make the next step, we require a lemma to show that anadversary who can compute G/x given x ·G can be used tosolve the Computational Diffie-Hellman Problem.

Lemma F.2. Let q be the order of a group G generated by G,whose elements are represented in κ = |q| bits. If there exists

a PPT algorithm A such that

Pr[A(1κ, x ·G) = G/x : x← Zq] = ε

where the probability is taken over the choice of x, then thereexists an algorithm A′ such that

Pr[A′(1κ, x ·G) = x · x ·G : x← Zq] = ε3

Proof. The algorithm that receives a challenge X = x ·G anduses A to compute x · x ·G is as follows:

1) Sample z ← Zq uniformly and compute Y ..= (z ·G)−X .Let y be the discrete log of Y . Note that y is unknown,but that z = x+ y. As z is uniform and independent ofX , so is y.

2) Compute X ′ ..= A(X) and Y ′ ..= A(Y ). Recall that Xand Y are uniform and independent challenges to A. IfA was successful in both computations, then X ′ = G/xand Y ′ = G/y.

3) Sample r ← Zq uniformly and compute

W ..= r · A(r/z · (X ′ + Y ′)

)

27

Note that since r is sampled independently of X and Y ,the challenge given to A is uniform and independent ofX and Y . Note that

X ′ + Y ′ = G/x+G/y =x+ y

x · y·G =

z

x · y·G

Thus, if A was successful in this step,

W = r · zr· x · yz·G = x · y ·G = x · z ·G− x · x ·G

4) Output z ·X −W = x · x ·GThe algorithm A is successful with probability ε when its inputis uniformly distributed. As A is invoked with three uniformand independent challenges, the probability that it is correctall three times is ε3.

Corollary F.2.1. Let q be the order of a group G generatedby G, whose elements are represented in κ = |q| bits. If thereexists a PPT algorithm A such that

Pr[A(1κ, x ·G) = G/x : x← Zq] = ε

where the probability is taken over the choice of x, then thereexists an algorithm A′ such that A′ solves the ComputationalDiffie-Hellman problem in G with advantage ε6.

Proof. Follows directly from Lemma F.2 and Lemma D.2.

Hybrid H4 . This hybrid experiment implements Step 5of S2P-Sign,A

nP-ECDSA. It differs from H3 in that it always abortswhen any of Alice’s inputs to FMul are inconsistent with oneanother or with the instance key exchange. Recall that herinputs are given by the triples

(α1, δ1, c1

),(α2a, δ2a, c2a

), and(

α2b, δ2b, c2b). Specifically, Alice sees an abort if any of the

following conditions hold

ηφ −H(Γ 1) 6= α1 − 1/kA

α2a 6= t0A/kA α2b 6= 1/kA

On the other hand, in experiment H3, it is possible thatsome of these conditions hold and yet no abort occurs ifAlice offsets her final message ηsig in such a way that Bobreconstructs a valid signature in Step 13 of π2P-Sign

nP-ECDSA. Wewill show that if she can achieve this outcome (and therebydistinguish H4 from H3) with non-negligible probability, thenshe can be used to solve either the Computational Diffie-Hellman Problem or the Discrete Logarithm Problem overelliptic curves with non-negligible probability. It thus followsthat H4 is computationally indistinguishable from H3 by theComputational Diffie-Hellman Assumption.

For convenience, we define a few intermediate values. Let

e1 = ηφ −H(Γ 1)− α1 + 1/kA

e2a = α2a − t0A/kAe2b = α2b − 1/kA

That is, let e1 be the discrepancy between the value of φ thatBob calculates and the value that Alice has used in her inputto FMul, and let e2a and e2b be the discrepancies between α2a

and α2b and their respective ideal values. Note that e2a and e2b

are defined exclusively by extractable values in Alice’s view:t0A is extracted during setup, kA is extracted via FRDL

ZK , and theremaining α and t values are extracted via FMul. e1, on theother hand, depends upon Γ 1, which is defined in this hybridrelative to values in Bob’s view (though, per H3, Alice isguaranteed to query the random oracle on Γ 1). Our reductionswill not have access to Bob’s view, and therefore they willrequire an alternate means of determining Γ 1 and e1.

In the case where Alice can potentially distinguish H4 fromH3, at least one of the error values e1, e2a, and e2b must benon-zero. These are included with Alice’s inputs to FMul, andthe values δ1, δ2a, and δ2b represent additional errors inducedinto the outputs of FMul; thus we have

t1A + t1B =1

kA · kB+φ+ e1

kB+ δ1

t1A + θ =1

kA · kB+e1

kB+ δ1

t2aA + t2a

B =t0A

kA · kB+e2a

kB+ δ2a

t2bA + t2b

B =t0B

kA · kB+t0B · e2b

kB+ δ2b

Additionally, Alice can induce an error directly into thesignature by including it in her final message ηsig; this isgiven by

δsig = sigA −H(m) · t1A − rx · t2AAdding this to our signing equation, substituting in the error-laden shares above, and subtracting the value of an honestsignature, we arrive at the total error induced

H(m) ·

(e1

kB+ δ1

)+ rx ·

(e2a + t0B · e2b

kB+ δ2

)+ δsig

where δ2 = δ2a + δ2b. According to our premise that thesignature verifies, this expression must be equal to zero.Assuming this to be true, and then rearranging, we have

H(m) · e1

kB+ rx ·

e2a + t0B · e2b

kB= −H(m) · δ1− rx · δ2− δsig

We now partition our argument into three exhaustive subcases,based upon the value of the left hand side of this equation.

1) The first case:

H(m) · e1

kB+ rx ·

e2a + t0B · e2b

kB6= 0

In this case, we give a reduction to the Discrete LogarithmProblem. Because both sides are nonzero, we can onceagain rearrange the equation that defines our error, yielding

kB =H(m) · e1 + rx ·

(e2a + t0B · e2b

)−H(m) · δ1 − rx · δ2 − δsig

Thus, if Alice can distinguish H4 from H3 when this caseholds, then can be used to solve the Discrete LogarithmProblem with the same probability in the following way:given X = x ·G for which x is not known, run hybrid

28

experiment H4, choosing a value of sk uniformly andcalculating pk from it, rather than receiving pk and fromFSampledECDSA, and setting DB

..= X . During the courseof the experiment, all values in the right-hand side ofthe above equation are extracted or received from Alice,except for t0B, which can be calculated via t0B

..= sk− t0A,and e1, which depends on Γ 1 as noted previously. SinceAlice is guaranteed to query the random oracle on Γ 1,iterate over all of her queries, and for each candidate Γ 1

i ,calculate kBi via the above equation. Upon finding thequery index i such that kBi ·G = X , let x ..= kBi and theproblem is solved.

2) The second case:

H(m) · e1

kB+ rx ·

e2a + t0B · e2b

kB= 0 ∧ e2b 6= 0

In this case we also give a reduction to the DiscreteLogarithm Problem. Observe that by rearranging thepremise of the case

t0B =−H(m) · e1

rx · e2b− e2a

e2b

Thus, if Alice can distinguish H4 from H3 when this caseholds, then she can be used to solve the Discrete LogarithmProblem with the same probability in the following way:given X = x · G, for which x is unknown, run hybridexperiment H4, choosing pk ..= X . As in the first case,iterate over all of Alice’s random oracle queries, and foreach candidate point Γ 1

i , apply the above equation tocalculate t0Bi, followed by ski ..= t0A + t0Bi. Upon findingthe query index i such that ski ·G = X , let x ..= ski andthe problem is solved.

3) The third case:

H(m) · e1

kB+ rx ·

e2a + t0B · e2b

kB= 0 ∧ e2b = 0

In this case, we give a reduction to the ComputationalDiffie-Hellman Problem. Recall that

t1A + θ =1

kA · kB+e1

kB+ δ1

t2A + t2B =sk

kA · kB+e2a + t0B · e2b

kB+ δ2

and that Bob computes Γ 2 ..= t2B ·G− θ · pk. Substitutingthe previous pair of equations into this yields

Γ 2 =

(sk

kA · kB+e2a + e2b · t0B

kB+ δ2 − t2A

)·G

−

(1

kA · kB+e1

kB+ δ1 − t1A

)· pk

Next, according to the premise of this case, e2b = 0; thus,simplifying, we have

Γ 2 =(δ2 − t2A

)·G+

(t1A − δ1

)· pk+ e2a − e1 · sk

kB·G

Also by the premise of this case, e1 =(−rx · e2a

)/H(m).

Given that e1 and e2a must be nonzero, it follows that

e2a − e1 · sk = 0 ⇐⇒ rx/H(m) = 1

Recall that Alice is able to sample multiple values ofR′, from which rx is derived via the random oracle.For each value she tries, she achieves rx = H(m) withprobability 2−κ, and because she is polynomially bounded,she achieves rx = H(m) with probability poly(κ)/2κ

overall. Thus e2a − e1 · sk 6= 0 with overwhelmingprobability, and we can rearrange such that

G/kB =Γ 2 +

(δ1 − t1A

)· pk+

(t2A − δ2a

)·G

e2a − e1 · skThus if Alice can distinguish H4 from H3 when this caseholds, then she can be used to solve the ComputationalDiffie-Hellman Problem with a polynomial reduction inprobability in the following way: given X = x · G,for which x is unknown, run hybrid experiment H4

with DB..= X . Unlike the previous two cases, we

have no mechanism by which to confirm our results arecorrect, and so we cannot identify Γ 1 reliably. Instead,choose values for Γ 1 and Γ 2 at random from the setQ of Alice’s random oracle queries and then apply theabove equation. If Alice succeeds with probability ε,then this algorithm recovers G/x with probability ε/|Q|2,which is bounded by ε/poly(κ) given that Alice runs inpolynomial time. Given that G/x can be calculated withprobability ε/ poly(κ), by Corollary F.2.1 there existsan algorithm to solve the Computational Diffie-Hellmanproblem with probability ε6/ poly(κ).

These three cases are comprehensive; thus, if Alice candistinguish H4 from H3 with non-negligible probability, thenthere must exist a probabilistic polynomial time algorithm thatcan solve either the Discrete Logarithm Problem or the Compu-tational Diffie-Hellman Problem with non-negligible probability.Consequently, H4 is computationally indistinguishable fromH3 under the Computational Diffie-Hellman Assumption, andif in future hybrids there is no abort, then e1, e2a, and e2b

must all be equal to zero.

Hybrid H5 . This hybrid implements Step 6 of S2P-Sign,AnP-ECDSA.

This hybrid differs from the last in that Γ 1 is given by

Γ 1 ..= G+ φ · kA ·G− t1A ·R+ δ1 ·R

rather than Γ 1 ..= t1B · R as in H4. Note that Alice alwaysqueries Γ 1, and because e1, e2a, and e2b are zero when noabort occurs, as established in H4, the two derivations of Γ 1

are equivalent

Γ 1 = t1B ·R

=

(1

kA · kB+

φ

kB+ δ1 − t1A

)·R

= G+ φ · kA ·G+ δ1 ·R− t1A ·R

Consequently, H5 is distributed identically to H4.

29

Hybrid H6 . This hybrid implements Step 7 of S2P-Sign,AnP-ECDSA,

which implies two major differences relative to H5. First, Γ 2

is computed as

Γ 2 ..=(t1A − δ1

)· pk−

(t2A − δ2

)·G

rather than being computed as

Γ 2 ..=(t2B ·G− θ · pk

)as in H5. These two derivations are equivalent; observe that

Γ 2 =(t2B ·G− θ · pk

)

=

(

sk

kA · kB+ δ2 − t2A

)·G

−(

1

kA · kB+ δ1 − t1A

)· pk

=(t1A − δ1

)· pk−

(t2A − δ2

)·G

Second, H6 aborts if

sigA 6= H(m) · t1A + rx · t2A −H(m) · δ1 − rx · δ2

rather than aborting if Verify(sigA + sigB) 6= 1 as in H5.Observe, however, that there is only one value of sig whichverifies as a signature once R and pk are fixed, and that

sig = sigA + sigB

= sigA +H(m) · θ + rx · t2B

= sigA +H(m) ·(

1

kA · kB+ δ1 − t1A

)+ rx ·

(sk

kA · kB+ δ2 − t2A

)= sigA +

H(m) + sk · rxkA · kB

−H(m) · t1A − rx · t2A +H(m) · δ1 + rx · δ2

= sig + sigA

−H(m) · t1A − rx · t2A +H(m) · δ1 + rx · δ2

Thus Verify(sigA + sigB) = 1 if and only if

sigA = H(m) · t1A + rx · t2A −H(m) · δ1 − rx · δ2

and H6 is distributed identically to H5.

Hybrid H7 . In this, the last hybrid for instances of theπ2P-SignnP-ECDSA where P∗i plays the role of Alice, Steps 1 and 2

of S2P-Sign,AnP-ECDSA are added, which implies that S2P-Sign,A

nP-ECDSA isimplemented completely, and no elements of Bob’s view arerequired to run the experiment. These changes are syntactic,and so the distribution of H7 is identical to that of H6.

C. Simulating Against Bob

Having dealt in Appendix F-B with the view of P∗i in itsevaluations of π2P-Sign

nP-ECDSA with parties Pj where j > i, wenow consider its view where j < i, and show via the seriesof hybrids in this section that this view is indistinguishable

from that generated by the simulator S2P-Sign,BnP-ECDSA that interacts

with the ideal functionality FSampledECDSA. For conveniencewe refer to P∗i as Bob in these hybrids.

Unlike Alice, Bob cannot cheat by inducing additive offsetsinto the outputs of the multiplications; he can only useinconsistent inputs. On the other hand, because he receives theoutput of the protocol, which is a (publicly verifiable) signature,he is able in some cases to guess values and check on his ownwhether his guesses are correct. Finally, note that because Bobreceives the final message in our protocol, the failure conditionfor the protocol corresponds to the case when he cannot decryptthis message or produce a valid output. For convenience, werefer to this condition as an abort in the following section.

Simulator 8. 2-of-n Signing against Bob (S2P-Sign,BnP-ECDSA):

This simulator interposes between a malicous Bob and thecorresponding ideal functionality FSampledECDSA. It receivesas input the public key pk, the message m, the signature ididsig, and Bob’s share of the secret key t0B. It is parameterizedby the statistical security parameter s and the group G oforder q generated by G, with κ = |q|. It plays the roles ofthe functionalities FMul and FRDL

ZK in their interactions withBob, and it can both observe Bob’s queries to the randomoracle H , and program the oracle’s responses.Multiplication and Instance Key Agreement:

1) Upon receiving DB from Bob, begin a new sig-nature with Alice as the counterparty by sending(newsig, idsig,m,A) to FSampledECDSA.

2) Interact with Bob on behalf of FMul, and in doing soreceive his private multiplication inputs β1, β2a, and β2b

and his corresponding outputs t1B, t2aB , and t2b

B . Note thatBob’s inputs to the multiplications may be inconsistent.

3) If (G/β1 = DB

)then let kB ..= 1/β1 and continue. Otherwise, abort byskipping to step 8.

4) If (β1 = β2a

)∧(β1 · t0B = β2b

)then continue. Otherwise, abort by skipping to step 8.

5) Send (sign, idsig) to FSampledECDSA and receive(signature, R, k∆, σ) in response.

Consistency Check, Signature, and Verification:6) Compute R′ ..= R−k∆ ·G and send R′ to Bob. Program

the random oracle H such that when it receives a queryon the value R′, it replies with the value k∆/kB.

7) Interact with Bob on behalf of FRDL

ZK , and upon receiving(prove, R, D̂B), reply with (accept,A) if R = H(R′) ·D̂B +R′ or (fail,A) otherwise.

8) Compute Γ 1 ..= t1B ·R as Bob would if he were honest.Sample φ← Zq uniformly and compute ηφ ..= H(Γ 1)+φ. Send ηφ to Bob.

30

9) Parse σ = (sig, rx), and then compute

θ ..= t1B − φ/kBΓ 2 ..= (t2B ·G− θ · pk)sigB

..= H(m) · θ + rx · t2BsigA

..= sig − sigB

ηsig ..= H(Γ 2) + sigA

Send ηsig to Bob and halt without proceeding to step 8.Abort:

8) Send R′ ← G, ηφ ← Zq, and ηsig ← Zq toBob. Interact with Bob on behalf of FRDL

ZK , and uponreceiving (prove, R, D̂B), reply with (accept,A) ifR = H(R′) · D̂B +R′ or (fail,A) otherwise. InstructFSampledECDSA to abort, and then halt. Note that this stepis only reached when Bob has cheated.

For the next hybrid, we rely on circular secure encryptionin the Random Oracle Model, as formalized in Lemma F.3.

Lemma F.3. Let q be the order of a group G generatedby G, whose elements are represented in κ = |q| bits. IfH : {0, 1}∗ 7→ Zq is a random oracle and x ← Zq is aprivate value sampled uniformly at random, then for any publicconstants C1, C2 ∈ G such that C2 6= 0, a PPT algorithmrunning in time poly(κ) with oracle access to H has anadvantage no greater than poly(κ)/2κ in distinguishing thedistribution of H(C1+x·C2)+x from the uniform distributionover Zq .

Proof. The algorithm can distinguish a sample drawn fromH(C1 +x ·C2)+x from uniform only by guessing the correctvalue of x, querying H , and testing whether the result matches.Given that the algorithm can make at most poly(κ) queries toH and that C1 + x · C2 is distributed uniformly over Zq , theprobability that this point is queried to H is poly(κ)/2κ.

Hybrid H8 . This hybrid implements Steps 2 and 3 ofS2P-Sign,BnP-ECDSA. Relative to H7, this experiment always aborts if

Bob uses β1 6= 1/kB as input to his first invocation of FMul,whereas in previous hybrids, Bob could use such an inconsistentinput and nevertheless avoid an abort by guessing certainintermediate values and checking whether a valid signature isproduced. We will show that he succeeds in avoiding an abortwith negligible probability in H7.

Suppose that Bob passes β1 ..= 1/kB+e to his first invocationof FMul, instead of 1/kB as he is supposed to do. The outputof this invocation will then take the form

t1A + t1B =φ

kB+

1

kA · kB+ φ · e+ e

kA

and Alice will compute the first check value as

Γ 1 ..= G+ φ · kA ·G− t1A ·R= G+ φ · kA ·G

−(φ

kB+

1

kA · kB+ φ · e+ e

kA− t1B

)·R

=

(t1B − φ · e−

e

kA

)·R

She will then encrypt φ and transmit her encryption to Bob

ηφ ..= φ+H

((t1B − φ · e−

e

kA

)·R

)By Lemma F.3 and the fact that φ is drawn uniformly, Bobcannot distinguish ηφ from uniform (and thereby recover φ)with probability better than poly(κ)/2κ. Subsequently, Alicecomputes Γ 2 ..= t1A · pk− t2A ·G, which implies

Γ 2 = t1A · pk− t2A ·G

=

(1

kA · kB+

e

kA+

φ

kB− t1B

)· pk

−(

sk

kA · kB− t2B

)·G

=

(e

kA+

φ

kB

)· pk−

(t1B · pk− t2B ·G

)Because Bob can calculate φ with probability poly(κ)/2κ, hisprobability of deriving Γ 2 and correctly decrypting Alice’smessage ηsig is also bounded by poly(κ)/2κ. Thus, if Bobpasses β1 ..= 1/kB + e to his first invocation of FMul inH7, the experiment aborts with overwhelming probability, andconsequently H7 and H8 are computationally indistinguishable.

Hybrid H9 . In this hybrid experiment, Step 4 of S2P-Sign,BnP-ECDSA

is partially implemented. Specifically, if Bob uses β2a 6= β1

as his input to the second invocation of FMul, then the valuesηφ and ηsig are sampled uniformly. Because our real-worldprotocol coalesces Bob’s first and second invocations of FMul

as described in Section VI-C, Bob is in fact already constrainedto using β1 = β2a. Therefore, H9 is distributed identically toH8, and if β2a 6= 1/kB, then then the values ηφ and ηsig aresampled uniformly.

Hybrid H10 . This hybrid experiment fully implements Step 4of S2P-Sign,B

nP-ECDSA. Bob’s view in this hybrid differs from his viewin H9 in that ηφ and ηsig are replaced with uniform values ifBob uses β2b 6= t0B/kB as his input to the third invocation ofFMul. We must reason about the power that Bob has to guessintermediate values and correctly decrypt Alice’s final messageηsig in the case that he has cheated in this way. Recall that todecrypt the final message, Bob computes

sig = sigB + ηsig −H(Γ 2)

If he does not query the random oracle on the correct value ofΓ 2 (in either this hybrid or H9), then he must guess its output,which he succeeds at doing with no better probability than hehas of guessing a valid signature from whole cloth. Suppose,however, that he cheats by passing β2b = t0B/kB + e to thethird invocation of FMul, and nevertheless queries the correctvalue of Γ 2. We will show that if he can achieve this withnon-negligible probability, then he can be used to break theComputational Diffie-Hellman Assumption.

31

We have previously established that if there is no abort, thenβ1 = 1/kB and α1 = 1/kA + φ, and the first invocation ofFMul yields shares to Alice and Bob such that

t1A + t1B =1

kA · kB+

φ

kB

Bob is thus able to calculate

Γ 1 ..= t1B ·Rφ ..= ηsig −H(Γ 1)

θ ..= t1B − φ/kB

If Bob supplies β2b = t0B/kB + e as his input to the thirdinvocation of FMul, then it will yield shares such that

t2bA + t2b

B =t0B

kA · kB+

e

kA

which implies that

t2A + t2B =sk

kA · kB+

e

kA

We have supposed that Bob queries the random oracle onthe same value of Γ 2 that Alice uses to encrypt ηsig; thus

Γ 2 = t1A · pk− t2A ·G

=

(1

kA · kB− θ)· pk−

(sk

kA · kB+

e

kA− t2B

)·G

= t2B ·G−e

kA·G− θ · pk

which in turn implies

G/kA =t2B ·G− θ · pk− Γ 2

e

Thus, given a (uniform) challenge X = x ·G for which xis unknown, we can use Bob in the following way to computeG/x with a polynomial probability loss. First, sample a randomvalue h← Zq , and then run the hybrid experiment H10, usingR′ ..= kB ·X − h ·DB. Program the random oracle such thatH(R′) = h; this implies that

R = H(R′) ·DB +R′ = x · kB ·G

which is uniform, as it is in the real execution, due to thefact that x is uniform. Extract Bob’s input β2b to the thirdinvocation of FMul, along with his input 1/kB = β1 to the firstinvocation, and t0B, his secret key share chosen during setup,and with these values calculate

e ..= β2b − t0B/kB

Finally, if Bob terminates with an output, choose one of hisrandom oracle queries at random to be the value Γ 2, and thenapply the equation above to compute

G/x ..=t2B ·G− θ · pk− Γ 2

e

If Bob queries the correct value of Γ 2 with probability ε,and queries at most polynomially many values in total, thenthis reduction computes G/x with probability ε/poly(κ). By

Corollary F.2.1, this implies that Bob can be used to solvethe Computational Diffie-Hellman Problem with probabilityε6/poly(κ). Consequently H10 is computationally indistin-guishable from H9 under the Computational Diffie-HellmanAssumption.

Hybrid H11 . This hybrid implements the remaining steps inS2P-Sign,BnP-ECDSA, to completely simulate Bob’s view. The changes

from the last hybrid are merely syntactic, and thus H11 andH10 are distributed identically.

The party P∗i ’s view is entirely simulated in H11, and so

H11 ={IDEALFSampledECDSA,S2P-Epoch,i

nP-ECDSA ,Z (z)}z∈{0,1}∗

By this sequence of hybrids, H11c≡ H0; in other words,

the view of a static adversary corrupting a single party P∗iin the real world is computationally indistinguishable froma simulated execution of the same set of protocol instancesunder the Computational Diffie-Hellman Assumption in the(FMul,FRDL

ZK ,FRDL

Com-ZK)-hybrid Random Oracle Model, andTheorem F.1 is proved.

32